Download It


Published on

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • CISM material
  • Two paths of logical access are shown: brown through WLAN and to server, second through laptop and server. In both cases, the security is poor, since logical access control is only guaranteed possibly at the server (and possibly not at printer). At least through the internet, the path of logical access goes through a border router/firewall, and either through LAC at de-militerized zone’s servers, or through the second router/firewall and the LAC at those servers (if any).
  • Anti-virus software is an example of Signature-based Software. Above you can see that for the graph, on Wed, we had some unusual traffic that needs looking into.
  • The hardest way to get in is via the internet. The easiest way is through floppies/CD, telephone modem, and WLAN, all of which do not get filtered by a router/firewall.
  • Someone dials up and wants to access our network. Should we trust him/her? No! Let’s call back to the location he/she lives and allow them access only from there. RADIUS and TACACS are well-known NAS products.
  • Bastion host would have other requirements: up-to-date patches, applications turned off. A dual-homed firewall requires access to two networks. A screened host refers to a firewall with an external router screening it.
  • Download It

    1. 1. Network Security Attacks Technical Solutions
    2. 2. Acknowledgments <ul><li>Material is from: </li></ul><ul><li>CISA Review Manual, 2009 </li></ul><ul><li>Many other Network Security sources </li></ul><ul><li> </li></ul><ul><li>Author: Susan J Lincke, PhD </li></ul><ul><li>Univ. of Wisconsin-Parkside </li></ul><ul><li>Reviewers: </li></ul><ul><li>Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. </li></ul><ul><li>Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation. </li></ul>
    3. 3. The Problem of Network Security <ul><li>The Internet allows an attacker to attack from anywhere in the world from their home desk. </li></ul><ul><li>They just need to find one vulnerability: a security analyst need to close every vulnerability. </li></ul>
    4. 4. Crackers Cracker: Computer-savvy programmer creates attack software Script Kiddies : Know how to execute programs Hacker Bulletin Board Sql Injection Buffer overflow Password Crackers Password Dictionaries Successful attacks! Crazyman broke into … CoolCat penetrated… Criminals: Create & sell botnets -> spam Sell credit card numbers,… System Administrators Some scripts are useful to protect networks… Malware package=$1K-2K 1 M Email addresses = $8 10,000 PCs = $1000
    5. 5. Hacking Networks Phase 1: Reconnaissance <ul><li>Physical Break-In </li></ul><ul><li>Dumpster Diving </li></ul><ul><li>Google, Newsgroups, Web sites </li></ul><ul><li>WhoIs Database & Sam Spade </li></ul><ul><li>Social Engineering </li></ul><ul><li>Domain Name Server Interrogations </li></ul><ul><li>Registrant: </li></ul><ul><li>Microsoft Corporation </li></ul><ul><li>One Microsoft Way </li></ul><ul><li>Redmond, WA 98052 </li></ul><ul><li>US </li></ul><ul><li>Domain name: MICROSOFT.COM </li></ul><ul><li>Administrative Contact: </li></ul><ul><li>Administrator, Domain [email_address] </li></ul><ul><li>One Microsoft Way </li></ul><ul><li>Redmond, WA 98052 </li></ul><ul><li>US </li></ul><ul><li>+1.4258828080 </li></ul><ul><li>Technical Contact: </li></ul><ul><li>Hostmaster, MSN [email_address] </li></ul><ul><li>One Microsoft Way </li></ul><ul><li>Redmond, WA 98052 US </li></ul><ul><li>+1.4258828080 </li></ul><ul><li>Registration Service Provider: </li></ul><ul><li>DBMS VeriSign, </li></ul><ul><li>800-579-2848 x4 </li></ul><ul><li>Please contact DBMS VeriSign for domain updates, DNS/Nameserver </li></ul><ul><li>changes, and general domain support questions. </li></ul><ul><li>Registrar of Record: TUCOWS, INC. </li></ul><ul><li>Record last updated on 27-Aug-2006. </li></ul><ul><li>Record expires on 03-May-2014. </li></ul><ul><li>Record created on 02-May-1991. </li></ul><ul><li>Domain servers in listed order: </li></ul><ul><li>NS3.MSFT.NET </li></ul><ul><li>NS1.MSFT.NET </li></ul><ul><li>NS4.MSFT.NET </li></ul><ul><li>NS2.MSFT.NET </li></ul><ul><li>NS5.MSFT.NET </li></ul>
    6. 6. Social Engineering I need a password reset. What is the passwd set to? This is John, the System Admin. What is your password? Email: ABC Bank has noticed a problem with your account… I have come to repair your machine… and have some software patches What ethnicity are you? Your mother’s maiden name?
    7. 7. Logic Bomb <ul><li>Logic Bomb = Malware has malicious purpose in addition to functional purpose </li></ul><ul><li>Software which will malfunction if maintenance fee is not paid </li></ul><ul><li>+ Social Engineering: “Try this game…it is so cool” </li></ul><ul><ul><li>Game also emails password file. </li></ul></ul>
    8. 8. Phishing = Fake Email ABC BANK Your bank account password is about to expire. Please login… The bank has found problems with your account. Please contact …”
    9. 9. Pharming = Fake web pages <ul><li>Pharming: </li></ul><ul><li>A fake web page may lead to a real web page </li></ul><ul><li>The fake web page looks like the real thing </li></ul><ul><ul><li>Extracts account information </li></ul></ul>Login Passwd Welcome To ABC Bank
    10. 10. Hacking Networks Phase 2: Scanning <ul><li>War Driving : Can I find a wireless network? </li></ul><ul><li>War Dialing : Can I find a modem to connect to? </li></ul><ul><li>Network Mapping : What IP addresses exist, and what ports are open on them? </li></ul><ul><li>Vulnerability-Scanning Tools : What versions of software are implemented on devices? </li></ul>
    11. 11. Passive Attacks <ul><li>Eavesdropping : Listen to packets from other parties = Sniffing </li></ul><ul><li>Traffic Analysis : Learn about network from observing traffic patterns </li></ul><ul><li>Footprinting : Test to determine software installed on system = Network Mapping </li></ul>B Packet A C Bob Jennie Carl
    12. 12. Hacking Networks: Phase 3: Gaining Access <ul><li>Network Attacks: </li></ul><ul><li>Sniffing (Eavesdropping) </li></ul><ul><li>IP Address Spoofing </li></ul><ul><li>Session Hijacking </li></ul><ul><li>System Attacks: </li></ul><ul><li>Buffer Overflow </li></ul><ul><li>Password Cracking </li></ul><ul><li>SQL Injection </li></ul><ul><li>Web Protocol Abuse </li></ul><ul><li>Denial of Service </li></ul><ul><li>Trap Door </li></ul>Login: Ginger Password: Snap
    13. 13. Some Active Attacks <ul><li>Denial of Service: Message did not make it; or service could not run </li></ul><ul><li>Masquerading or Spoofing : The actual sender is not the claimed sender </li></ul><ul><li>Message Modification : The message was modified in transmission </li></ul><ul><li>Packet Replay : A past packet is transmitted again in order to gain access or otherwise cause damage </li></ul>Denial of Service Joe Ann Bill Spoofing Joe (Actually Bill) Ann Bill Message Modification Joe Ann Packet Replay Joe Ann Bill Bill
    14. 14. Man-In-The-Middle Attack Real AP Trojan AP or Rogue Access Point Victim Login Login Also implements SPOOFING
    15. 15. Man-in-the-Middle Attack (1) Login (3) Password (2) Login (4) Password
    16. 16. SQL Injection <ul><li>Java Original : “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”; </li></ul><ul><li>Inserted Password : Aa’ OR ‘’=’ </li></ul><ul><li>Java Result : “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘; </li></ul><ul><li>Inserted Password : foo’;DELETE FROM users_table WHERE username LIKE ‘% </li></ul><ul><li>Java Result : “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’ </li></ul><ul><li>Inserted entry : ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’ </li></ul>Login: Password: Welcome to My System
    17. 17. Virus <ul><li>A virus attaches itself to a program, file, or disk </li></ul><ul><li>When the program is executed, the virus too is executed </li></ul><ul><li>When the program is given away (floppy/email) the virus spreads </li></ul><ul><li>The virus may be benign or malignant but executes its load pay at some point (often upon contact) </li></ul>CoughCough! Don’t come close! Program A Extra Code Program A infects
    18. 18. Worm <ul><li>Worm : Independent program which replicates itself and sends copies from computer to computer across network connections. Upon arrival the worm may be activated to replicate. </li></ul>To Joe To Ann To Jill Email List: [email_address] [email_address] [email_address]
    19. 19. Password Cracking: Dictionary Attack & Brute Force 500 years 2x10 22 72 12 12 chars: alphanumeric + 10 12 min. 7x10 14 72 8 8 chars alphanumeric +10 5x10 5 26 4 4 chars: lower case alpha 2x10 11 26 8 8 chars: lower case alpha 5x10 13 52 8 8 chars: alpha 3.4 min. 2x10 14 62 8 8 chars: alphanumeric 2 hours 7x10 15 95 8 8 chars: all keyboard Pattern Calculation Result Time to Guess (2.6x10 18 /month) Personal Info: interests, relatives 20 Manual 5 minutes Social Engineering 1 Manual 2 minutes American Dictionary 80,000 < 1 second 12 chars: alphanumeric 62 12 3x10 21 96 years 12 chars: all keyboard 95 12 5x10 23 16 chars: alphanumeric 62 16 5x10 28
    20. 20. Hacking Networks: Phase 4: Exploit/Maintain Access Backdoor Trojan Horse Spyware Bots User-Level Rootkit Kernel-Level Rootkit Replaces system executables: e.g. Login, ls, du Replaces OS kernel: e.g. process or file control to hide Control system: system commands, log keystrokes, pswd Useful utility actually creates a backdoor. Slave forwards/performs commands; spreads, list email addrs, DOS attacks Collect info: keystroke logger, collect credit card #s, insert ads, filter search results
    21. 21. Root Kit <ul><li>Root Kit </li></ul><ul><li>Upon penetrating a computer, a hacker installs a root kit </li></ul><ul><li>May enable: </li></ul><ul><ul><li>Easy entrance for the hacker (and others) </li></ul></ul><ul><ul><li>Keystroke logger </li></ul></ul><ul><li>Eliminates evidence of break-in </li></ul><ul><li>Modifies the operating system </li></ul>Backdoor entry Keystroke Logger Hidden user
    22. 22. Botnets Attacker Handler Bots: Host illegal movies, music, pornography, criminal web sites, … Forward Spam for financial gain China Hungary Botnets: Bots Zombies
    23. 23. Distributed Denial of Service Zombies Victim Attacker Handler Can barrage a victim server with requests, causing the network to fail to respond to anyone China Hungary United States Zombies
    24. 24. Network Security <ul><ul><li>Network Defense </li></ul></ul><ul><ul><li>Encryption </li></ul></ul>
    25. 25. Security: Defense in Depth Border Router Perimeter firewall Internal firewall Intrusion Detection System Policies & Procedures & Audits Authentication Access Controls
    26. 26. Bastion Host <ul><li>Computer fortified against attackers </li></ul><ul><li>Applications turned off </li></ul><ul><li>Operating system patched </li></ul><ul><li>Security configuration tightened </li></ul>
    27. 27. Attacking the Network The Internet De-Militarized Zone Private Network Border Router/Firewall Commercial Network Private Network
    28. 28. Filters <ul><li>Content Filter : Scans contents of packets and discards if ruleset failed (e.g., Intrusion Prevention System or firewall) </li></ul><ul><li>Packet Filter : Scans headers of packets and discards if ruleset failed (e.g., Firewall or router) </li></ul><ul><li>Route Filter : Verifies sources and destination of IP addresses </li></ul>The good, the bad & the ugly… Filter The bad & the ugly The Good
    29. 29. Firewall Configurations A A terminal firewall host Router Packet Filtering : Packet header is inspected Single packet attacks caught Very little overhead in firewall: very quick High volume filter A A terminal firewall host A Stateful Inspection State retained in firewall memory Most multi-packet attacks caught More fields in packet header inspected Little overhead in firewall: quick
    30. 30. Firewall Configurations A B terminal firewall host Circuit-Level Firewall : Packet session terminated and recreated via a Proxy Server All multi-packet attacks caught Packet header completely inspected High overhead in firewall: slow A B terminal firewall host A Application-Level Firewall Packet session terminated and recreated via a Proxy Server Packet header completely inspected Most or all of application inspected Highest overhead: slow & low volume A B B
    31. 31. Path of Logical Access How many logical access checks are required? The Internet De-Militarized Zone Private Network Border Router/Firewall Router/Firewall WLAN How could access control be improved?
    32. 32. Protecting the Network The Internet De-Militarized Zone Private Network Border Router: Packet Filter Bastion Hosts Proxy server firewall WLAN
    33. 33. Multi-Homed Firewall: Separate Zones Router External DNS IDS Web Server E-Commerce VPN Server Firewall IDS Protected Internal Network Zone IDS Database/File Servers Internet Demilitarized Zone With Proxy Interface Screened Host The router serves as a screen for the Firewall, preventing Denial of Service attacks to the Firewall. Screening Device
    34. 34. Writing Rules Policies Network Filter Capabilities Write Rules Protected Network Audit Failures Corrections
    35. 35. Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) <ul><li>Network IDS=NIDS </li></ul><ul><li>Examines packets for attacks </li></ul><ul><li>Can find worms, viruses, org-defined attacks </li></ul><ul><li>Warns administrator of attack </li></ul><ul><li>IPS=Packets are routed through IPS </li></ul><ul><li>Host IDS=HIDS </li></ul><ul><li>Examines actions or resources for attacks </li></ul><ul><li>Recognize unusual or inappropriate behavior </li></ul><ul><li>E.g., Detect modification or deletion of special files </li></ul>Router Firewall IDS
    36. 36. IDS Intelligence Systems <ul><li>Signature-Based: </li></ul><ul><li>Specific patterns are recognized as attacks </li></ul><ul><li>Statistical-Based : </li></ul><ul><li>The expected behavior of the system is understood </li></ul><ul><li>If variations occur, they may be attacks (or maybe not) </li></ul><ul><li>Neural Networks : </li></ul><ul><li>Statistical-Based with self-learning (or artificial intelligence) </li></ul><ul><li>Recognizes patterns </li></ul>Attacks: NastyVirus BlastWorm NastyVirus NIDS: ALARM!!! Normal
    37. 37. Remote Access Security <ul><li>Virtual Private Network (VPN) often implemented with IPSec </li></ul><ul><li>Can authenticate and encrypt data through Internet (red line) </li></ul><ul><li>Easy to use and inexpensive </li></ul><ul><li>Difficult to troubleshoot, less reliable than dedicated lines </li></ul><ul><li>Susceptible to malicious software and unauthorized actions </li></ul>The Internet Firewall VPN Concentrator
    38. 38. Network Access Server <ul><li>NAS: Network Access Server </li></ul><ul><ul><li>Handles user authentication, access control and accounting </li></ul></ul><ul><ul><li>Calls back to pre-stored number based on user ID </li></ul></ul><ul><ul><li>Prone to hackers, DOS, misconfigured or insecure devices </li></ul></ul><ul><li>RADIUS: Remote Access Dial-in User Service </li></ul><ul><li>TACACS: Terminal Access Control Access </li></ul>1. Dial up and authenticate 2. Call back RADIUS or TACACS 3. Connect
    39. 39. Honeypot & Honeynet <ul><li>Honeypot : A system with a special software application which appears easy to break into </li></ul><ul><li>Honeynet : A network which appears easy to break into </li></ul><ul><li>Purpose: Catch attackers </li></ul><ul><li>All traffic going to honeypot/net is suspicious </li></ul><ul><li>If successfully penetrated, can launch further attacks </li></ul><ul><li>Must be carefully monitored </li></ul>External DNS IDS Web Server E-Commerce VPN Server Honey Pot Firewall
    40. 40. Data Privacy <ul><li>Confidentiality : Unauthorized parties cannot access information (->Secret Key Encryption </li></ul><ul><li>Authenticity : Ensuring that the actual sender is the claimed sender. (->Public Key Encryption) </li></ul><ul><li>Integrity : Ensuring that the message was not modified in transmission. (->Hashing) </li></ul><ul><li>Nonrepudiation : Ensuring that sender cannot deny sending a message at a later time. (->Digital Signature) </li></ul>Confidentiality Joe Ann Bill Authenticity Joe (Actually Bill) Ann Bill Integrity Joe Ann Non-Repudiation Joe Ann Bill
    41. 41. Secure Hash Functions Examples: SHA1, SHA2, MD2, MD4, MD5 Message H H E Message H Message H D H H H Compare Message Authentication Code Message H Message Message H H H H H Compare One Way Hash K K K K Ensures the message was not modified during transmission NIST Recommended: SHA-1, SHA-2 2011: SHA-2
    42. 42. Encryption – Secret Key Examples: DES, AES Encrypt K secret Decrypt K secret plaintext ciphertext plaintext P = D(K secret , E(K secret ,P)) NIST Recommended: 3DES w. CBC AES 128 Bit
    43. 43. Public Key Encryption Examples: RSA, ECC, Quantum P = D(k PRIV , E(k PUB ,P)) P = D(k PUB , E(k PRIV ,P)) NIST Recommended: RSA 1024 bit 2011: RSA 2048 bit Encrypt (public) Decrypt (private) Key owner Joe Encryption (e.g., RCS) Decrypt (public) Encrypt (private) Message, private key Digital Signature Key owner Authentication, Non-repudiation Joe
    44. 44. Digital Signature <ul><li>Electronic Signature </li></ul><ul><li>Uses public key algorithm </li></ul><ul><li>Verifies integrity of data </li></ul><ul><li>Verifies identity of sender: non-repudiation </li></ul>Encrypted K(Sender’s Private) Message Msg Digest
    45. 45. Public Key Infrastructure (PKI) Digital Certificate User: Sue Public Key: 2456 1. Sue registers with CA through RA Certificate Authority (CA) Register(Owner, Public Key) 2. Registration Authority (RA) verifies owners 3. Send approved Digital Certificates 5. Tom requests Sue’s DC  6. CA sends Sue’s DC  Sue Tom 4. Sue sends Tom message signed with Digital Signature 7. Tom confirms Sue’s DS
    46. 46. Web Page Security <ul><li>SQL Filtering: Filtering of web input for SQL Injection </li></ul><ul><li>Encryption/Authentication: Ensuring Confidentiality, Integrity, Authenticity, Non-repudiation </li></ul><ul><li>Web Protocol Protection: Protection of State </li></ul>
    47. 47. Vulnerability Assessment <ul><li>Scan servers, work stations, and control devices for vulnerabilities </li></ul><ul><ul><li>Open services, patching, configuration weaknesses </li></ul></ul><ul><li>Testing controls for effectiveness </li></ul><ul><ul><li>Adherence to policy & standards </li></ul></ul><ul><li>Penetration testing </li></ul>
    48. 48. Summary of Controls <ul><li>Authentication & Access </li></ul><ul><li>Policy-compliance system: Rule-based access or auditing </li></ul><ul><li>Identity mgmt system: DB for authentication & access </li></ul><ul><li>Handheld token (authentication) </li></ul><ul><li>Biometrics </li></ul><ul><li>Single sign-on (SSO) </li></ul><ul><li>Certificate Authority: PKI </li></ul><ul><li>Digital Signature </li></ul><ul><li>Entitlements=role-based access </li></ul><ul><li>Network Protection </li></ul><ul><li>Firewalls </li></ul><ul><li>Proxy server </li></ul><ul><li>Demilitarized Zone (DMZ) </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Intrusion Prevention </li></ul><ul><li>Encryption or Masking </li></ul><ul><li>Virtual Private Network (VPN): Secure communications tunnel </li></ul><ul><li>Application Protection </li></ul><ul><li>SSL: Secure web </li></ul><ul><li>SSH: Secure telnet/rlogin or file transfer </li></ul><ul><li>S/MIME: Secure email </li></ul><ul><li>Secure Information Mgmt: Log mgmt </li></ul>
    49. 49. Question <ul><li>The filter with the most extensive filtering capability is the </li></ul><ul><li>Packet filter </li></ul><ul><li>Application-level firewall </li></ul><ul><li>Circuit-level firewall </li></ul><ul><li>State Inspection </li></ul>
    50. 50. Question <ul><li>The technique which implementing non-repudiation is: </li></ul><ul><li>Hash </li></ul><ul><li>Secret Key Encryption </li></ul><ul><li>Digital Signature </li></ul><ul><li>IDS </li></ul>
    51. 51. Question <ul><li>An attack where multiple computers send connection packets to a server simultaneously to slow the firewall is known as: </li></ul><ul><li>Spoofing </li></ul><ul><li>DDOS </li></ul><ul><li>Worm </li></ul><ul><li>Rootkit </li></ul>
    52. 52. Question <ul><li>A man in the middle attack is implementing which additional type of attack: </li></ul><ul><li>Spoofing </li></ul><ul><li>DoS </li></ul><ul><li>Phishing </li></ul><ul><li>Pharming </li></ul>
    53. 53. Question <ul><li>Anti-virus software typically implements which type of defensive software: </li></ul><ul><li>Neural Network </li></ul><ul><li>Statistical-based </li></ul><ul><li>Signature-based </li></ul><ul><li>Packet filter </li></ul>
    54. 54. Question <ul><li>MD5 is an example of what type of software: </li></ul><ul><li>Public Key Encryption </li></ul><ul><li>Secret Key Encryption </li></ul><ul><li>Message Authentication </li></ul><ul><li>PKI </li></ul>
    55. 55. Question <ul><li>A personal firewall implemented as part of the OS or antivirus software qualifies as a: </li></ul><ul><li>Dual-homed firewall </li></ul><ul><li>Packet filter </li></ul><ul><li>Screened host </li></ul><ul><li>Bastion host </li></ul>
    56. 56. Vocabulary to Study <ul><li>Attacks : Script kiddy, social engineering, logic bomb, Trojan horse, phishing, pharming, war driving, war dialing, man-in-the-middle attack, SQL Injection, virus, worm, root kit, dictionary attack, brute force attack, DOS, DDOS, botnet, spoofing, packet replay </li></ul>
    57. 57. Vocabulary to Study <ul><li>Defenses : Defense in depth, bastion host, content filter, packet filter, stateful inspection, circuit-level firewall, application-level firewall, de-militarized zone, multi-homed firewall, IDS, IPS, NIDS, HIDS, signature-based IDS, statistical-based IDS, neural network, VPN, network access server (RADIUS/TACACS), honeypot, honeynet, hash, secret key encryption, public key encryption, digital signature, PKI, vulnerability assessment </li></ul><ul><li>Techniques: SHA1/SHA2, MD2/MD4/MD5, DES, AES, RSA, ECC, Quantum </li></ul><ul><li>Security Goals : Confidentiality, authenticity, integrity, non-repudiation </li></ul>