3. Cyber Security is Asymmetric
• A phony “Robin Sage”, easily masquerading as an employee
of the Naval Network Warfare command, was able to
accumulate in a few months 300 friends on LinkedIn, 110 on
Facebook and had 141 followers on Twitter.
• She connected with the Joint Chiefs of Staff, the CIO of the
NSA, an intelligence director for the U.S. Marines and the a
chief of staff for the U.S. House of Representatives.
3
4. A Social Media Cyber-Attack
1. The cybercriminal sets up a bogus profile, such as “Ana
Maria”.
2. An encrypted malware string is coded as text and then
uploaded into the bogus profile.
3. After the message enters into a customer’s machine it will
search for the string, which will signal the beginning of the
malware code.
4. The malware is then executed. If it is a Trojan or a bot, it can
proceed to attack the customer’s computer or to propagate
further.
4
5. Example of Bounties for Bug Catchers, by Google
$3,137 to Sergey Glazunov for bug 68666
$1,337 to Sergey Glazunov for bug 35724
$1,337 to Sergey Glazunov for bug 45400
$1,337 to Sergey Glazunov for bug 50553
$1,337 to Keith Campbell for bug 51630
$1,337 to Aki Helin from OUSPG for bug 59036
$1,337 to Sergey Glazunov for bug 65764
$1,337 to Sergey Glazunov for bug 70165
$1,000 to Tokuji Akamine for bug 30660
$1,000 to kuzzcc for bug 37383
$1,000 to Jordi Chancel for bug 40445
•http://dev.chromium.org/Home/chromium-security/hall-of-fame
5
6. “Safe Browsing” Service- Two Factor Authentication
• Safe Browsing is a service provided by Google that enables
applications to check URLs against Google's constantly
updated lists of suspected phishing and malware pages.
• Here are some of the things you can do with the Safe
Browsing service:
• Warn users before clicking on links that appear in your site
when they lead to malware-infected pages.
• Prevent users from posting links to known phishing pages
from your site.
• Check a list of pages against Google's lists of suspected
phishing and malware pages.
6
13. Internet Advantage
• Any properly configured computer can act as a host for a
personal web-page.
• Any of several hundred million other computers can view that
personal web-page.
• Any of several hundred million other computers can connect
to another computer capable of delivering an information
processing service.
13
14. Internet Liabilities
• 17,000+ partially secure, poorly connected networks with
practically unlimited number of unverifiable points of
access;
• The most frequently used security protocol (SSL- Secure
Socket Layer) authenticates destination servers, but not the
sending sources;
• Networks are mostly small, with large ISPs managing less
than 10% of network traffic;
• Performance of the network depends on “peering
relationships” between ISP (Information Service Providers),
each providing network capacity and router switching
capacity ;
• Delivery of packets cannot be guaranteed because network
performance determined by routers that may not have
sufficient capacity to handle traffic spikes.
15. Components of the Internet
• The (BGP) Border Gateway Protocol are ISP instructions for
forwarding packets from one network link to another. BGP
is unreliable if router tables are in error;
• Average broad-band web-page download time to LAN can
be well over 0.5 seconds, if message “packet” traverses
several “hops”;
• (DNS) Domain Name System can be compromised, by
diversion of communications;
• Software robots (Botnets) can automatically proliferate
and convey destructive software such as “worms”,
“rootkits” or parasitic “malware” such as “Trojans” for
finding “backdoors” into computers.
• Denial of service attacks can be launched.
16. Problems with Nets and Servers
• Capacity limitations for peak loads;
• Congestion in access to data sources;
• Excessive delays for global access;
• Expensive to scale capacity for growth;
• Problem not in bandwidth, but mostly in switching;
• Depends on reliability and capacity of ISP “peers” to forward
data to the destination;
• Conflicting economic interests among “peers” can inhibit
growth and performance.
16
18. Layer 7: Application
Application Services
Layer 6: Presentation
Data Representation
Layer 5: Session
Inter-host Communications
Layer 4: Transport
End-to-End Connectivity
Layer 3: Network
Path Determination
Layer 2: Data Link
Link Reliability
Layer 1: Physical
Signal Transmission
The Internet “Stack”
21. All Internet Transmissions in “Hops” (Total elapsed time 6 seconds)
21
From: jtmessert@optonline.net 7 Dec 2008 15:05:39
1. Received: from 48151 invoked from network
2. Received: from localhost (localhost [127.0.0.1])
3. Received: from rn-out-0910.google.com
4. Received: by rn-out-0910.google.com
5. Received: by 10.100.255.10
6. Received: by 10.100.124.12
7. Received: by 10.65.53.19
8. Received: from qs1473.pair.com
9. Received: from localhost [127.0.0.1]
10. Received: from mta3.srv.hcvlny.cv.net
11. Received: from [10.240.3.210]
Forwarded-To: paul@strassmann.com 7 Dec 2008 15:05:45
Above message = 29 “packets”
23. What is in an IPv4 Internet Packet Header
• 4 bits that contain the version, that specifies IPv4 or IPv6 packet,
• 4 bits that contain the length of the header,
• 8 bits that contain the Type of Service - Quality of Service (QoS),
• 16 bits that contain the length of the packet,
• 16 bits identification tag to reconstruct the packet from fragments,
• 3 bits flag that says if the packet is allowed to be fragmented or not,
• 13 bits identify which fragment this packet is attached to,
• 8 bits that contain the Time to live (TTL) number of hops allowed
• 8 bits that contain the protocol (TCP, UDP, ICMP, etc..)
• 16 bits that contain the Header Checksum,,
• 32 bits that contain the source IP address,
• 32 bits that contain the destination address.
23
24. What Drives Computing to “the Edge”?
24
LAN Connection
2 “hops”
Latency: 0.01 seconds
MIDDLE MILE : 8-20 “hops”
TCP Retransmits at each “hop”
Latency: 0.1 to 0.5 seconds
Channel Connection
1 “hop”
Latency: 0.001 seconds
LOCAL
WORKSTATION
CENTRAL
COMPUTER
24
25. “Middle Mile” In Transmission Takes Microseconds
25
0.529
7.241
7.915
10.527
9.323
10.848
41.431
16.273
17.097
15.699
17.693
0.627
155.202
First Mile
Middle Mile
Middle Mile
Middle Mile
Middle Mile
Middle Mile
Middle Mile
Middle Mile
Middle Mile
Middle Mile
Middle Mile
Last Mile
192.168.0.1
10.130.160.1
dstswr2-vlan2.rh.nrwlct.cv.net
r2-ge12-1.mhe.whplny.cv.net
64.15.8.117 (64.15.8.117)
rtr3-tg11-2.in.nycmnyzr.cv.net.0.15.64.in-addr.arpa
rtr2-tg10-1.in.asbnva16.cv.net
cr1-eqix-peer.wdc003.internap.net
core2.wdc002.inappnet-62.cr1.wdc005.internap.net
border2.pc2-bbnet2.wdc002.pnap.net
infospaceinc-3.border2.wdc002.pnap.net
167.206.251.78
Total Transmission Time without Error
Average
Milliseconds
Elapsed Time
Transmission
Stage
IP Address
26. 26
Example: “Hops” from Desktop to Server
0.0.0.0
dstswr1-vlan2.rh.nrwlct.cv.net
r1-ge12-1.mhe.whplny.cv.net
r2-srp3-0.wan.whplny.cv.net
r2-srp0-0.in.nycmny83.cv.net
gige-g0-2.gsr12416.nyc.he.net
pos0-3.gsr12416.ash.he.net
64.71.158.140
84.53.144.195
80.67.72.198
Total Transaction Latency (in Miliseconds)
13.084
12.343
14.528
19.735
18.286
24.839
20.012
20.087
21.735
21.097
185.746
1
2
3
4
5
6
7
8
9
10
40 byte packets to Akamai.com
(80.67.72.198)
traceroute
(Number
of Hops)
28. Is Conversion from IPv4 to IPv6 Necessary Now?
• Total capacity of IPv4 is 4.3 billion addresses.
• Xerox, IBM, HP, Apple and Ford each have 16.8 million
addresses.
• Xerox employment is 53,500.
• DoD has available 134.2 million addresses
28
http://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks
29. Current IPv4 vs. IPv6 Status
• IPv4 allows 32 bits for the Internet Protocol.
• IPv6 uses a 128-bit address and supports a practically infinite
number of addresses.
• As of the end of 2010 only 533 million unique IP addresses
have been assigned.
• Though the USA currently has 26.4% of the global IP
population, it has obtained more than 50% of the IP
addresses, while the quickly growing China is exhausting its
allocation.
• There are enough IP addresses, on the average, except that
they have been misallocated. An immediate rush into IPv6 in
the USA cannot be justified.
29
31. VPN Features
• VPN offers site-to-site connectivity
• The protocols are used for “tunneling” the traffic
• The tunnel's termination point unpacks the protocol.
• VPN enables several levels of security.
• Cryptographic tunneling protocols provide confidentiality by
blocking intercepts and packet sniffing.
• VPN allows sender authentication to block identity spoofing,
and message alteration.
31
32. Examples of VPN Protocols
• “IPSEC” VPN protocol developed for IPv6.
• Transport Layer Security (SSL/TLS) can tunnel complete
network traffic.
• Datagram Transport Layer Security (DTLS), solves
Transmission Control Protocol (TCP) issues.
• Special fixes offered by Microsoft:
– Microsoft Point-to-Point Encryption (MPPE).
– Microsoft Secure Socket Tunneling Protocol (SSTP).
• Secure Shell (SSH) VPN – Offers secure tunneling for inter-
network links.
32
36. Principal Attack Scenarios on Internet Switches
• Flooding Attacks on a Switch
• Address Resolution Spoofing
• “Man-in-the-Middle” Attack
• Denial of Service Attack
• Switch Hijacking Attack
• Spanning Tree Attack
• The Root Claim Attack
• Forcing Eternal Root Election Attack
• VLAN Hopping Attack
36
37. Flooding Attacks on a Switch
• The Media Access Control (MAC) protocol defines for a
switch what transmissions are allowed to access which
connection.
• A switch will keep a Content Addressable Memory (CAM)
table for identification of MAC destinations. CAM tables
have a limited memory and will overflow.
• Attack tools that can auto generate +100,000 bogus
entries per minute, which then overloads the switch so that
it malfunctions.
37
38. VLAN Hopping Attack
• Virtual LANs (VLAN) make it possible to group users into
logically separate networks.
• A switch partitions local area networks into isolated
VLANs. The computers and peripherals are then
restricted from communicating with each other.
• Separate subnets are compromised if an attacker
manages to send across different zones (hopping). That
will make VLAN subdivisions useless.
• For instance, a NIPRNET LAN could be used to initiate a
denial of service against computers on SIPRNET.
38
39. Address Resolution Spoofing
• Attacker replaces the Address Resolution Protocol
(ARP) cache on a switch with a forged mapping.
• It causes traffic to be redirected from the correct target to
a target of the attacker’s choice.
• Allows an attacker to sniff the data flowing to a local area
network. The traffic is then modified.
39
40. “Man-in-the-middle” Attack
• Adds a third party destination into the communications
stream without the legitimate recipients being aware.
• The third party can extract passwords and confidential
data.
40
41. Switch Hijacking Attack
• The switch will inject illegitimate connections that will
pretend to be authentic.
• The added connections will take over control without the
recipients being aware.
41
42. Spanning Tree Attack
• Allows the connection of multiple switches for LAN
redundancy or as of spare links to form automatic
backup paths.
• If the Spanning Tree Protocol (STP) is corrupted,
communications will be re-routed to illegitimate links.
42
43. The Root Claim Attack
• Bogus bridge protocols are used to designate the
attacker’s station as the new root bridge.
• Once in control a variety of malicious attacks can be
launched by the attacker, including the sniffing of all
messages for sensitive information and for passwords.
43
44. Forcing Eternal Root Election Attack
• Makes the network unstable by tampering with the
Spanning Tree Protocol (STP) routing algorithm to keep
searching for the root switch, without ever finding it.
• The network will be always in the root selection process,
which will make the network unstable and potentially
disabled.
44
48. Border Gateway Attacks
• The Border Gateway Protocol (BGP) is the core routing
protocol of the Internet. It maintains tables of networks
that can be reached from routers.
• BGP makes routing decisions based on path availability,
network policies and operating rules.
• The Border Gateway protocol does not assure data
integrity and does not provide source authentication.
• BGP can be tampered with by making changes to the
router software.
48
49. Principal Attack Scenarios on Internet Routers
• Promiscuous Mode Corruption
• Router Table Attacks
• Router Information Attacks
• Shortest Path Attacks
• Border Gateway Attacks
• Border Gateway Poisoning
49
50. Corruption of Internet Routing Tables
• The rapid growth and fragmentation of Internet routing
tables is the major threats to the integrity of Internet
transmissions.
• Destination addresses are chosen by “routing tables”. If
these routing tables get incorrect information, misrouting
will occur.
• Routers tell packets of data which way to go. When an e-
mail is sent from one private network to another, the
router “decides” which packets should travel within the
corporate private network and which should not.
http://pstrassmann.blogspot.com/2010/12/corruption-of-internet-routing-tables.html 50
51. Promiscuous Mode Corruption
• The router masquerade as a “super-user” with software
control privileges. Many router operating systems make
“super-user” privileges available for maintenance or for
software updating reasons.
• The attacker uses the vendor instructions to acquire
“super user” status.
• A promiscuous computer can monitor traffic to and from
other computers on the Internet.
51
52. Router Table Attacks
• The content of a routing table update is continually
modified to reflect changes in the configuration of the
surrounding networks. An attacker will create messages
that look legitimate and can be then inserted into the
routing table.
• An attacker creates messages that look legitimate and
can be then inserted into the routing table so that
transactions can be redirected.
• Attacks on the routing table updates represent a high risk
in the absence of a strong authentication mechanism.
Password are insufficient for protecting military grade
routers.
52
53. Router Poisoning Attacks
• Router poisoning is a method used to direct the
formation of routing loops within networks.
• A “hop” count will indicate to other routers that a route is
no longer reachable and should be removed from their
respective routing tables.
• The desired destination for the packets will cease to
function.
53
54. Shortest Path Attacks
• Each router passes the status of its links to its neighbors
who in turn forward this information to other routers in
the network.
• As result of such passing each router has the link
information for all other routers and eventually has the
picture of the entire network topology.
• In a compromised table the calculated shortest paths will
be incorrect and the shortest paths will be purged.
54
55. Black Hole Attack
• By making use of router vulnerabilities, various kinds of
attacks can be launched to compromise the routing
through software changes.
• A special case is the “Black Hole” attack where the
router directs a packet to a network where packets enter
but do not come out.
57. What Are the DNS Servers?
• The Domain Name System (DNS) is a globally
distributed service that is foundational to the way people
use the Internet.
• DNS uses a hierarchical name structure, and different
levels in the hierarchy are each separated with a dot ( . )
• Computers use the DNS hierarchy to translate human
readable names like <www.amazon.com> into the IP
addresses like 192.0.2.1 that INTERNET can use to
route transactions to one another.
57
58. Principal Attack Scenarios on Domain Name System (DNS)
• Address Starvation Attack
• Attacks Using Rogue Servers
• Attacks Using Bogus Default Gateway
• DNS Database with Malicious Records
• DNS Spoofing With a Sniffer
• DNS Flooding Attack
• Spoofed Responses to a DNS Server
• Buffer Overflow Attack
• Denial of Service Attack
58
62. Challenge
• How to automate monitoring, control and security tasks
performed by >50,000 personnel now attending to
computers at >500 server farms?
• How to migrate to a highly automated environment?
62
63. The Purpose of a Network Operations Center (NOC)
• To manage an automated network environment.
• To function as the first line of defense for security.
• To operate information warfare countermeasures.
• To shift computing workloads to and from:
– Locked down internal production operations;
– Test and Pre-production environments;
– Internal “clouds” for legacy applications;
– External “clouds” for fall back and added assets.
63
64. The NOC Becomes the Key to Net-Centricity
• Manages the migration from a device centric world to a
customer centric world.
• Enables connecting from anywhere, by any means.
• Offers access privileges only to authorized persons.
• Allows purchasing of computer processing power
independent of circuit technology.
• Makes it possible to associate computing services
according to a person’s roles or location.
64
65. Concept of Operations for Network Operations Center
65
• Network Operations Center (NOC) manages
massively distributed virtual computers.
• The scale of NOC dictates the scope of information
security safeguards.
• NOCs should be geographically distributed and
redundant.
• The staffing of NOCs can offer huge economies of
scale, depending on the capitalization of the staff.
• The NOC should include countermeasures as the
first line of defence in the case of information warfare.
65
66. Security & Control Managed from the NOC
• Offers visibility into all machine resources and
processes.
• Monitors and controls the execution of all
applications.
• Set up traps for viruses, rootkits and malware before
they can infect a system.
6666
67. Security Architecture Managed from the NOC
• Delivers a private network that is completely isolated
from the public Internet except through a small
number of controlled access gateways.
• Offers instant visibility of 100% of every network
component (such as cabling, routers, switches,
servers and end user appliances);
• Provides uninterrupted, redundant real-time
monitoring of each transaction that is processed
anywhere on the entire network;
• Offers instant switching of communications as well as
of all computing assets to fall-back facilities to deliver.
67
67
68. Example of NOC Operations
• NOCs account for every Internet Protocol (IP)
address in the system, which includes all authorized
desktops, laptops, smart-phones and RFIDs.
• Assuming insider attack, all network incidents,
whether human or automatic, shall be followed up
and documented for attack pattern analysis.
• Forensic and artificial intelligence methods will be
applied to analyse attack patterns in the perpetual
transactions library.
• Keeps inventories of LAN and WAN for identification
of alternative paths under failure conditions.
68
68
69. The Purpose of a Network Operations Center (NOC)
• To manage an automated network environment.
• To function as the first line of defense for security.
• To operate information warfare countermeasures.
• To shift computing workloads to and from:
– Locked down internal production operations;
– Test and Pre-production environments;
– Internal “clouds” for legacy applications;
– External “clouds” for fall back and added assets.
69
69
70. Ultimate Purpose: NOCs Manage Connecting of the Clouds
• Extends Virtual Infrastructure beyond single data center
• Uses secondary Data Center site for testing and overflow
• Leverages geographically distributed resources
• Rents resources from Service providers for capacity
• Maintains IT Service Service Levels
Virtual Infrastructure
Resource
Cloud
Test and Development
Data Center
Primary
Data Center
Virtual Infrastructure
7070
71. Software Defined Networks (SDN)
• SDN allows direct access to and manipulation of network
devices such as switches and routers, both physical and
virtual. It is the absence of an open interface to these devices
that has led to the characterization of today’s networking
devices as monolithic, closed, and mainframe-like. Protocol
like SDN is needed to move network control out of the
individual switches to centralized control software.
• SDN control software can control any SDN-enabled network
device from any vendor, including switches, routers, and
virtual switches. Rather than having to manage groups of
devices from individual vendors, IT will be now able to use
SDN-based orchestration and management tools to quickly
deploy, configure, and update devices across the entire
network.
71
79. 79
VISA Credit Card Case
• >1.3 billion Visa cards in circulation;
• Accepted at >24 million input sources, >160 countries;
• >50,000 decision rules for interoperability;
• Interoperability in >50 languages;
• Cash access at >one million ATMs;
• Capable of processing >6,200 transactions a second;
• Global response time <0.25 seconds;
• Interoperable with >21,000 financial institutions;
• Global Systems Integration Staff of 200;
80. Amazon Global Network of Private Servers
• Ashburn, VA
• Dallas/Fort Worth, TX
• Los Angeles, CA
• Miami, FL
• New York, NY
• Newark, NJ
• Palo Alto, CA
• Seattle, WA
• St. Louis, MO
• Amsterdam
• Dublin
• Frankfurt
• London
• Hong Kong
• Tokyo
• Singapore
80
81. AKAMAI, a Telecomm Infrastructure Manager
• Manages 35,000 servers.
• Servers hosted with Internet Service Providers (ISP)
• NOC has 12 operating staff.
• Most of the Akamai intellectual capital is in their NOC.
• 99.98% uptime for “End-to-End” connections.
– Performance is inclusive of server failures, connectivity failures
and network downtime, measured on a 24/7 basis.
• Akamai has $800M in revenues.
81
83. Origin of the Global Information Grid (GIG)
• In September 1992, Defense Management Report Decisions
(DMRD) expanded DISA's role.
• DMRD 918 created the Defense Information Infrastructure
(DII), now known as the Global Information Grid. At the same
the Defense Information Systems Network was created to
consolidate 122 DoD networks.
• DISA plans, designs, constructs, and analyzes the
effectiveness of the U.S. military's cyberspace.
• DISA establishes the technological standards that make the
GIG secure and reliable.
83
84. Large Internet Firms Offer Direct Links to Speed Connections_
84
26 Routers
169 POP Switches
85. A 2004 Evaluation by the Government Accountability Office
• The most critical challenge ahead for DOD is making the GIG a
reality.
• DOD has taken steps to define its vision and objectives for the
GIG on paper.
• DoD is making heavy investments ($21 billion over 6 years)
the GIG as well as on systems that dependent on the GIG.
• It is not known how DOD will meet GIG objectives.
85
SOURCE: GAO-04-858. 2004
87. GIG as the Cornerstone of Information Superiority
• GIG is the enabler of net-centric warfare.
• The GIG makes up a secure, reliable network for
communications satellites, next-generation radios and
military installations-based networks with expanded
bandwidth.
• Increased budgetary pressures are starting to modify the
term GIG.
• New concepts are emerging such as Cyberspace Operations
which are revising what was the original version of GIG.
87
89. Required Reading
– The Internet’s Vulnerabilities Are Built Into Its Infrastructure, Paul A.
Strassmann, November 2009
• http://www.afcea.org/signal/articles/templates/SIGNAL_Article_Templa
– Network-Centric Systems Need Standards and Metrics, Paul A.
Strassmann, July 2009
• http://www.afcea.org/signal/articles/templates/SIGNAL_Article_Templa
– Can DoD Manage the Delivery of GIG Objectives?
• http://pstrassmann.blogspot.com/2011/08/can-dod-manage-delivery-of
– Why the GIG Warrants Top Priority
• http://pstrassmann.blogspot.com/2011/03/how-secure-is-virtual-netwo
89
90. Class Assignment
• Write a >200 word analysis of one of the topics in the
required reading list :
• Analysis to include:
– Discussion of favorable and unfavorable views about the issue
– Your personal summary conclusion and recommendations
90