SlideShare a Scribd company logo

Netsec

Download as PPT, PDF
Saleem Khan
Saleem Khan

This document discusses network security threats and how the TCP/IP protocol works. It provides information on how IP addresses route packets over the internet, how hostnames are mapped, and common security issues like network sniffing, spoofing, and denial of service attacks. The document also summarizes countermeasures like firewalls, proxies, encryption, and securing modems and phone lines to address these network threats.

1 of 33
Network Security Threats CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 SEI is sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon University 95-752:8-1
TCP/IP Internet: Network of Networks • Connected by routers, no central control • Using common set of protocols TCP/IP - Two-level package of protocols for Internet • Transmission Control Protocol (TCP) -- sequencing of series of packets to transmit data reliably over Internet • Internet Protocol (IP) -- flexible routing of information from source to destination • TCP is not only protocol running on top of IP: - UDP - one-directional burst of packets - ICMP - network management protocol - UGMP - multicast management protocol © 2000 by Carnegie Mellon University 95-752:8 - 2
How IP Works Packet switched: • Flow of information broken into chunks • Each routed independently by best route to destination • Destination must reassemble into correct order • Errors handled by retransmission Internet Address: • Logical network (location) & Logical host (identity) • Most frequently translated into dotted decimal: 10110110 11100111 00011000 10101010 182 231 24 170 182.231.24.170 • V4 (1982) -- current version (32 bit addresses) • V6 (1999) -- forthcoming version (128 bit addresses) © 2000 by Carnegie Mellon University 95-752:8 - 3
Routing and Hostnames Each router in Internet: • List of known network links • List of connected hosts • Link for unknown networks (“other”) Route information passed between routers • Accessible networks • Cost of linkage (speed, load, distance, etc.) Hosts mapped by IP address • One host, several IP addresses (multiple interfaces) • One IP address, several hosts (dynamic assignment) © 2000 by Carnegie Mellon University 95-752:8 - 4
IP Security Many problems: • Network sniffers • IP Spoofing • Connection Hijacking • Data spoofing • SYN flooding • etc. Hard to respond to these attacks: • Designed for trust • Designed without authentication • Evolving -- employed for uses beyond design © 2000 by Carnegie Mellon University 95-752:8 - 5
Network Redirection Intruders can fool routers into sending traffic to unauthorized locations © 2000 by Carnegie Mellon University 95-752:8 - 6
Email Here is the program you’ve been waiting for. VIP@XXX.GOV Trusted Colleague A postcard written in pencil, with trusted cargo attached © 2000 by Carnegie Mellon University 95-752:8 - 7
Email Forgery It is pretty simple to create email from a computer or user other than the real sender © 2000 by Carnegie Mellon University 95-752:8 - 8
Network Flooding Intruders can stimulate responses to overload the network © 2000 by Carnegie Mellon University 95-752:8 - 9
Distributed Flooding © 2000 by Carnegie Mellon University 95-752:8 - 10
Cross-Site Scripting Malicious code Try this: link <malicious code> trusted site Internal data http://ts.gov/script.cgi?id=<script> evil </script> © 2000 by Carnegie Mellon University 95-752:8 - 11
Staged Attack 1 2 3 © 2000 by Carnegie Mellon University 95-752:8 - 12
Intruder Trends TOOL KIT Packaging and Internet Distribution © 2000 by Carnegie Mellon University 95-752:8 - 13
Attack Sophistication vs. Intruder Technical Knowledge Cross site scripting “stealth” / advanced Tools High scanning techniques Staged packet spoofing denial of service attack sniffers distributed attack tools Intruder sweepers www attacks Knowledge automated probes/scans GUI back doors disabling audits network mgmt. diagnostics hijacking burglaries sessions Attack exploiting known vulnerabilities Sophistication password cracking self-replicating code password guessing Attackers Low 1980 1985 1990 1995 2000 © 2000 by Carnegie Mellon University 95-752:8 - 14
Vulnerability Exploit Cycle Novice Intruders Automated Use Crude Scanning/Exploit Exploit Tools Tools Developed Intruders Begin Crude Widespread Use Using New Exploit Tools of Automated Types Distributed Scanning/Exploit of Exploits Tools Advanced Intruders Discover New Vulnerability © 2000 by Carnegie Mellon University 95-752:8 - 15
Service Shifts 120 100 80 DNS HTTP 60 FTP RPC 40 email IRC 20 0 Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 © 2000 by Carnegie Mellon University 95-752:8 - 16
Countermeasures for IP Security Deny service Encrypt data • Link • End-to-end • Application Separate authentication Firewalls © 2000 by Carnegie Mellon University 95-752:8 - 17
Securing Services Any network service needs • System for storing information • Mechanism for updating information • Mechanism for distributing information Provision of security capabilities is independent, need is not © 2000 by Carnegie Mellon University 95-752:8 - 18
Running a Secure Server General: • Minimize complexity • Minimize OS Capabilities • No arbitrary command execution on server • Input checking (length and content) • Untrusted server UID Must be root at start (port access), Changed ASAP Directory: content, access Secure Programs: includes, environment, trust, secrecy © 2000 by Carnegie Mellon University 95-752:8 - 19
Firewalls Middle ground between protected and public nets Damage detection and limitation Uses • Block access • Selected prevention • Monitor • Record • Encryption © 2000 by Carnegie Mellon University 95-752:8 - 20
Firewall Components Packet Filter • Default: Permit or Deny • Router or special equipment Servers • Untrusted, exposed • Public, fast access Bastion Host • Circuit Level or Application Proxy • Represents/conceals protected net • Clients and Proxies © 2000 by Carnegie Mellon University 95-752:8 - 21
Firewall Architectures Lots of choices • Simple filter • Dual-ported hosts • Screened host • Screened subnet (DMZ) • Multiple firewalls © 2000 by Carnegie Mellon University 95-752:8 - 22
Internal Firewalls Large organization Limit trust, failures, damage Ease recovery Guidelines • No file access across firewall • No shared login across firewall • Separate DNS • No trusted hosts or users across firewall © 2000 by Carnegie Mellon University 95-752:8 - 23
Building Firewalls Do it yourself – Don’t Firewall Toolkits Complete Firewall Managed Security Provider Questions: • What am I protecting? • How much money? • How much access is needed? • How do I get users to use firewall? © 2000 by Carnegie Mellon University 95-752:8 - 24
Wrappers, Proxies and Honeypots Wrappers – server-based software to examine request before satisfying it Proxies – bastion-based software to examine request before passing to server Honeypots – False response to unsupported services (for attack alarm, confusion) © 2000 by Carnegie Mellon University 95-752:8 - 25
Bastion Considerations Make bastion a pain to use directly Enable all auditing/logging Limit login methods/file access Allow minimal file access to directories Enable process/file quotas Equivalent to no other machine Monitor! Monitor! Monitor! © 2000 by Carnegie Mellon University 95-752:8 - 26
Common Firewall Failures Installation errors Policy too permissive Users circumvent Users relax other security Attract attacks (less common) Insiders Insufficient architecture Conclusion: Plan security as if firewall was failure © 2000 by Carnegie Mellon University 95-752:8 - 27
Connectivity Bellovin - “The best firewall is a large air gap between the Internet and any of your computers, and a pair of wire cutters is the most effective network protection mechanism.” Do users need to access the Internet? Can they use shared access to some services? What services are: • Work-required • Work-related • Moral boosters • Unneeded © 2000 by Carnegie Mellon University 95-752:8 - 28
Telecom Security Computers are communication Telephone access • Modem (telephone or cable) • Serial, direct connection Double-edged sword © 2000 by Carnegie Mellon University 95-752:8 - 29
Modems and Security Modems are a popular tool for breaking security • Dial out: release secrets, attack • Dial-in: intrude on computers and networks Secure in layers © 2000 by Carnegie Mellon University 95-752:8 - 30
Securing Modems As objects: physical, configuration, sequence As phone number: false-list, carrier-answer, restrict publication, change As phone lines: disable services, one-way, caller-id Cable communication: encryption, restricted access All of these approaches have limits © 2000 by Carnegie Mellon University 95-752:8 - 31
Modems and Eavesdropping Your premises Wires/Cable Central Office Transmission links Countermeasures: • inspection, • Electronic sweeps • Encryption © 2000 by Carnegie Mellon University 95-752:8 - 32
Additional Security Call-back modems Password modems Encrypting modems Caller-ID modems © 2000 by Carnegie Mellon University 95-752:8 - 33

Recommended

Ddos attack definitivo
Ddos attack definitivoDdos attack definitivo
Ddos attack definitivolilith333
 
NCompass Live: IT Security for Libraries
NCompass Live: IT Security for LibrariesNCompass Live: IT Security for Libraries
NCompass Live: IT Security for Libraries
Christa Porter
 
OpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&COpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&C
Courtland Smith
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
IT Infrastrucutre Security
IT Infrastrucutre SecurityIT Infrastrucutre Security
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Information Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons BulgariaInformation Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons Bulgaria
New Horizons Bulgaria
 
By25450453
By25450453By25450453
By25450453
IJERA Editor
 

Recommended

Ddos attack definitivo
Ddos attack definitivoDdos attack definitivo
Ddos attack definitivolilith333
 
NCompass Live: IT Security for Libraries
NCompass Live: IT Security for LibrariesNCompass Live: IT Security for Libraries
NCompass Live: IT Security for Libraries
Christa Porter
 
OpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&COpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&C
Courtland Smith
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
IT Infrastrucutre Security
IT Infrastrucutre SecurityIT Infrastrucutre Security
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Information Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons BulgariaInformation Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons Bulgaria
New Horizons Bulgaria
 
By25450453
By25450453By25450453
By25450453
IJERA Editor
 
Psicología del deporte (2)
Psicología del deporte (2)Psicología del deporte (2)
Psicología del deporte (2)Thania Aguilar
 
4
44
4Colorado Vásquez Tello
 
Psicología del deporte
Psicología del deportePsicología del deporte
Psicología del deporte
Maycol Astudillo Vidaurre
 
De un grupo a un equipo(psicologia)
De un grupo a un equipo(psicologia)De un grupo a un equipo(psicologia)
De un grupo a un equipo(psicologia)
nadia
 
Comportamientos relacionados con la dismorfia muscular en usuarios de estero...
Comportamientos relacionados con la dismorfia muscular en usuarios de estero...Comportamientos relacionados con la dismorfia muscular en usuarios de estero...
Comportamientos relacionados con la dismorfia muscular en usuarios de estero...Paulo Sena
 
Una psicología del deporte para cada deportista.pptx. horacio german garcia
Una psicología del deporte para cada deportista.pptx. horacio german garciaUna psicología del deporte para cada deportista.pptx. horacio german garcia
Una psicología del deporte para cada deportista.pptx. horacio german garciaRobertoOtazu
 
Psicologia y Deporte UCA 2016
Psicologia y Deporte UCA 2016Psicologia y Deporte UCA 2016
Psicologia y Deporte UCA 2016
Ignacio Manuel Paván
 
CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...
CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...
CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...
Matias Sarden
 
Memoria practicum psicologia del deporte(boccia)
Memoria practicum psicologia del deporte(boccia)Memoria practicum psicologia del deporte(boccia)
Memoria practicum psicologia del deporte(boccia)guillermo calleja ramirez
 
Autoconfianza, el motor del rendimiento(psicologia)
Autoconfianza, el motor del rendimiento(psicologia)Autoconfianza, el motor del rendimiento(psicologia)
Autoconfianza, el motor del rendimiento(psicologia)
nadia
 
Taller de psicología de tiro con arco
Taller de psicología de tiro con arcoTaller de psicología de tiro con arco
Taller de psicología de tiro con arcoKirolPsikologia
 
Atencion y concentracion en un equipo profecional(psicologia)
Atencion y concentracion en un equipo profecional(psicologia)Atencion y concentracion en un equipo profecional(psicologia)
Atencion y concentracion en un equipo profecional(psicologia)
nadia
 
Investigación, Formación y Ejercicio profesional en Psicología del Deporte.
Investigación, Formación y Ejercicio profesional en Psicología del Deporte.Investigación, Formación y Ejercicio profesional en Psicología del Deporte.
Investigación, Formación y Ejercicio profesional en Psicología del Deporte.
Fundación ASCIENDE
 
El control de la ansiedad en el deporte
El control de la ansiedad en el deporteEl control de la ansiedad en el deporte
El control de la ansiedad en el deportePsic.Franklin Ramon
 
Modalidad Del Atletismo. Carrera De Larga Distancia
Modalidad Del Atletismo. Carrera De Larga DistanciaModalidad Del Atletismo. Carrera De Larga Distancia
Modalidad Del Atletismo. Carrera De Larga Distanciajose-luis1
 
Psicologia del deporte
Psicologia del deportePsicologia del deporte
Psicologia del deporte
lalosport
 
Fifa 11+
Fifa 11+Fifa 11+
Fifa 11+
Moisés Falces
 
Entrenamiento de la concentración en el deporte
Entrenamiento de la concentración en el deporteEntrenamiento de la concentración en el deporte
Entrenamiento de la concentración en el deportecentrocodex
 
Psicología aplicada al fútbol
Psicología aplicada al fútbolPsicología aplicada al fútbol
Psicología aplicada al fútbol
Colorado Vásquez Tello
 
Prebenjamines
PrebenjaminesPrebenjamines
Prebenjamines
Colorado Vásquez Tello
 
Mobile Security
Mobile Security Mobile Security
Mobile Security Doug Robinson
 
Mobile Security
Mobile Security Mobile Security
Mobile Security Fresh Digital Group
 

More Related Content

Viewers also liked

Psicología del deporte (2)
Psicología del deporte (2)Psicología del deporte (2)
Psicología del deporte (2)Thania Aguilar
 
Psicología del deporte
Psicología del deportePsicología del deporte
Psicología del deporte
Maycol Astudillo Vidaurre
 
De un grupo a un equipo(psicologia)
De un grupo a un equipo(psicologia)De un grupo a un equipo(psicologia)
De un grupo a un equipo(psicologia)
nadia
 
Comportamientos relacionados con la dismorfia muscular en usuarios de estero...
Comportamientos relacionados con la dismorfia muscular en usuarios de estero...Comportamientos relacionados con la dismorfia muscular en usuarios de estero...
Comportamientos relacionados con la dismorfia muscular en usuarios de estero...Paulo Sena
 
Una psicología del deporte para cada deportista.pptx. horacio german garcia
Una psicología del deporte para cada deportista.pptx. horacio german garciaUna psicología del deporte para cada deportista.pptx. horacio german garcia
Una psicología del deporte para cada deportista.pptx. horacio german garciaRobertoOtazu
 
Psicologia y Deporte UCA 2016
Psicologia y Deporte UCA 2016Psicologia y Deporte UCA 2016
Psicologia y Deporte UCA 2016
Ignacio Manuel Paván
 
CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...
CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...
CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...
Matias Sarden
 
Memoria practicum psicologia del deporte(boccia)
Memoria practicum psicologia del deporte(boccia)Memoria practicum psicologia del deporte(boccia)
Memoria practicum psicologia del deporte(boccia)guillermo calleja ramirez
 
Autoconfianza, el motor del rendimiento(psicologia)
Autoconfianza, el motor del rendimiento(psicologia)Autoconfianza, el motor del rendimiento(psicologia)
Autoconfianza, el motor del rendimiento(psicologia)
nadia
 
Taller de psicología de tiro con arco
Taller de psicología de tiro con arcoTaller de psicología de tiro con arco
Taller de psicología de tiro con arcoKirolPsikologia
 
Atencion y concentracion en un equipo profecional(psicologia)
Atencion y concentracion en un equipo profecional(psicologia)Atencion y concentracion en un equipo profecional(psicologia)
Atencion y concentracion en un equipo profecional(psicologia)
nadia
 
Investigación, Formación y Ejercicio profesional en Psicología del Deporte.
Investigación, Formación y Ejercicio profesional en Psicología del Deporte.Investigación, Formación y Ejercicio profesional en Psicología del Deporte.
Investigación, Formación y Ejercicio profesional en Psicología del Deporte.
Fundación ASCIENDE
 
El control de la ansiedad en el deporte
El control de la ansiedad en el deporteEl control de la ansiedad en el deporte
El control de la ansiedad en el deportePsic.Franklin Ramon
 
Modalidad Del Atletismo. Carrera De Larga Distancia
Modalidad Del Atletismo. Carrera De Larga DistanciaModalidad Del Atletismo. Carrera De Larga Distancia
Modalidad Del Atletismo. Carrera De Larga Distanciajose-luis1
 
Psicologia del deporte
Psicologia del deportePsicologia del deporte
Psicologia del deporte
lalosport
 
Fifa 11+
Fifa 11+Fifa 11+
Fifa 11+
Moisés Falces
 
Entrenamiento de la concentración en el deporte
Entrenamiento de la concentración en el deporteEntrenamiento de la concentración en el deporte
Entrenamiento de la concentración en el deportecentrocodex
 
Psicología aplicada al fútbol
Psicología aplicada al fútbolPsicología aplicada al fútbol
Psicología aplicada al fútbol
Colorado Vásquez Tello
 
Prebenjamines
PrebenjaminesPrebenjamines
Prebenjamines
Colorado Vásquez Tello
 

Viewers also liked (20)

Psicología del deporte (2)
Psicología del deporte (2)Psicología del deporte (2)
Psicología del deporte (2)
 
4
44
4
 
Psicología del deporte
Psicología del deportePsicología del deporte
Psicología del deporte
 
De un grupo a un equipo(psicologia)
De un grupo a un equipo(psicologia)De un grupo a un equipo(psicologia)
De un grupo a un equipo(psicologia)
 
Comportamientos relacionados con la dismorfia muscular en usuarios de estero...
Comportamientos relacionados con la dismorfia muscular en usuarios de estero...Comportamientos relacionados con la dismorfia muscular en usuarios de estero...
Comportamientos relacionados con la dismorfia muscular en usuarios de estero...
 
Una psicología del deporte para cada deportista.pptx. horacio german garcia
Una psicología del deporte para cada deportista.pptx. horacio german garciaUna psicología del deporte para cada deportista.pptx. horacio german garcia
Una psicología del deporte para cada deportista.pptx. horacio german garcia
 
Psicologia y Deporte UCA 2016
Psicologia y Deporte UCA 2016Psicologia y Deporte UCA 2016
Psicologia y Deporte UCA 2016
 
CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...
CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...
CENTRO DE FORMACION Y CAPACITACION EN EL DEPORTE 2015. Curso Integral en Coac...
 
Memoria practicum psicologia del deporte(boccia)
Memoria practicum psicologia del deporte(boccia)Memoria practicum psicologia del deporte(boccia)
Memoria practicum psicologia del deporte(boccia)
 
Autoconfianza, el motor del rendimiento(psicologia)
Autoconfianza, el motor del rendimiento(psicologia)Autoconfianza, el motor del rendimiento(psicologia)
Autoconfianza, el motor del rendimiento(psicologia)
 
Taller de psicología de tiro con arco
Taller de psicología de tiro con arcoTaller de psicología de tiro con arco
Taller de psicología de tiro con arco
 
Atencion y concentracion en un equipo profecional(psicologia)
Atencion y concentracion en un equipo profecional(psicologia)Atencion y concentracion en un equipo profecional(psicologia)
Atencion y concentracion en un equipo profecional(psicologia)
 
Investigación, Formación y Ejercicio profesional en Psicología del Deporte.
Investigación, Formación y Ejercicio profesional en Psicología del Deporte.Investigación, Formación y Ejercicio profesional en Psicología del Deporte.
Investigación, Formación y Ejercicio profesional en Psicología del Deporte.
 
El control de la ansiedad en el deporte
El control de la ansiedad en el deporteEl control de la ansiedad en el deporte
El control de la ansiedad en el deporte
 
Modalidad Del Atletismo. Carrera De Larga Distancia
Modalidad Del Atletismo. Carrera De Larga DistanciaModalidad Del Atletismo. Carrera De Larga Distancia
Modalidad Del Atletismo. Carrera De Larga Distancia
 
Psicologia del deporte
Psicologia del deportePsicologia del deporte
Psicologia del deporte
 
Fifa 11+
Fifa 11+Fifa 11+
Fifa 11+
 
Entrenamiento de la concentración en el deporte
Entrenamiento de la concentración en el deporteEntrenamiento de la concentración en el deporte
Entrenamiento de la concentración en el deporte
 
Psicología aplicada al fútbol
Psicología aplicada al fútbolPsicología aplicada al fútbol
Psicología aplicada al fútbol
 
Prebenjamines
PrebenjaminesPrebenjamines
Prebenjamines
 

Similar to Netsec

Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
DaveEdwards12
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
F5 Networks
 
Cyber crime trends in 2013
Cyber crime trends in 2013 Cyber crime trends in 2013
Cyber crime trends in 2013
The eCore Group
 
Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priority
zohaibqadir
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security MonitoringAnton Goncharov
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
Bill Ross
 
netsec.ppt
netsec.pptnetsec.ppt
netsec.ppt
ssuserec53e73
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
InnoTech
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
spoofyroot
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
Christiaan Beek
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
santosomar
 
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBMUndgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
IBM Danmark
 
Smart Protection Network
Smart Protection NetworkSmart Protection Network
Smart Protection Networkkevin liao
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 

Similar to Netsec (20)

Mobile Security
Mobile Security Mobile Security
Mobile Security
 
Mobile Security
Mobile Security Mobile Security
Mobile Security
 
S series presentation
S series presentationS series presentation
S series presentation
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
 
Cyber crime trends in 2013
Cyber crime trends in 2013 Cyber crime trends in 2013
Cyber crime trends in 2013
 
Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priority
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web Applications
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
 
netsec.ppt
netsec.pptnetsec.ppt
netsec.ppt
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
 
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBMUndgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
 
Smart Protection Network
Smart Protection NetworkSmart Protection Network
Smart Protection Network
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 

Netsec

  • 1. Network Security Threats CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 SEI is sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon University 95-752:8-1
  • 2. TCP/IP Internet: Network of Networks • Connected by routers, no central control • Using common set of protocols TCP/IP - Two-level package of protocols for Internet • Transmission Control Protocol (TCP) -- sequencing of series of packets to transmit data reliably over Internet • Internet Protocol (IP) -- flexible routing of information from source to destination • TCP is not only protocol running on top of IP: - UDP - one-directional burst of packets - ICMP - network management protocol - UGMP - multicast management protocol © 2000 by Carnegie Mellon University 95-752:8 - 2
  • 3. How IP Works Packet switched: • Flow of information broken into chunks • Each routed independently by best route to destination • Destination must reassemble into correct order • Errors handled by retransmission Internet Address: • Logical network (location) & Logical host (identity) • Most frequently translated into dotted decimal: 10110110 11100111 00011000 10101010 182 231 24 170 182.231.24.170 • V4 (1982) -- current version (32 bit addresses) • V6 (1999) -- forthcoming version (128 bit addresses) © 2000 by Carnegie Mellon University 95-752:8 - 3
  • 4. Routing and Hostnames Each router in Internet: • List of known network links • List of connected hosts • Link for unknown networks (“other”) Route information passed between routers • Accessible networks • Cost of linkage (speed, load, distance, etc.) Hosts mapped by IP address • One host, several IP addresses (multiple interfaces) • One IP address, several hosts (dynamic assignment) © 2000 by Carnegie Mellon University 95-752:8 - 4
  • 5. IP Security Many problems: • Network sniffers • IP Spoofing • Connection Hijacking • Data spoofing • SYN flooding • etc. Hard to respond to these attacks: • Designed for trust • Designed without authentication • Evolving -- employed for uses beyond design © 2000 by Carnegie Mellon University 95-752:8 - 5
  • 6. Network Redirection Intruders can fool routers into sending traffic to unauthorized locations © 2000 by Carnegie Mellon University 95-752:8 - 6
  • 7. Email Here is the program you’ve been waiting for. VIP@XXX.GOV Trusted Colleague A postcard written in pencil, with trusted cargo attached © 2000 by Carnegie Mellon University 95-752:8 - 7
  • 8. Email Forgery It is pretty simple to create email from a computer or user other than the real sender © 2000 by Carnegie Mellon University 95-752:8 - 8
  • 9. Network Flooding Intruders can stimulate responses to overload the network © 2000 by Carnegie Mellon University 95-752:8 - 9
  • 10. Distributed Flooding © 2000 by Carnegie Mellon University 95-752:8 - 10
  • 11. Cross-Site Scripting Malicious code Try this: link <malicious code> trusted site Internal data http://ts.gov/script.cgi?id=<script> evil </script> © 2000 by Carnegie Mellon University 95-752:8 - 11
  • 12. Staged Attack 1 2 3 © 2000 by Carnegie Mellon University 95-752:8 - 12
  • 13. Intruder Trends TOOL KIT Packaging and Internet Distribution © 2000 by Carnegie Mellon University 95-752:8 - 13
  • 14. Attack Sophistication vs. Intruder Technical Knowledge Cross site scripting “stealth” / advanced Tools High scanning techniques Staged packet spoofing denial of service attack sniffers distributed attack tools Intruder sweepers www attacks Knowledge automated probes/scans GUI back doors disabling audits network mgmt. diagnostics hijacking burglaries sessions Attack exploiting known vulnerabilities Sophistication password cracking self-replicating code password guessing Attackers Low 1980 1985 1990 1995 2000 © 2000 by Carnegie Mellon University 95-752:8 - 14
  • 15. Vulnerability Exploit Cycle Novice Intruders Automated Use Crude Scanning/Exploit Exploit Tools Tools Developed Intruders Begin Crude Widespread Use Using New Exploit Tools of Automated Types Distributed Scanning/Exploit of Exploits Tools Advanced Intruders Discover New Vulnerability © 2000 by Carnegie Mellon University 95-752:8 - 15
  • 16. Service Shifts 120 100 80 DNS HTTP 60 FTP RPC 40 email IRC 20 0 Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 © 2000 by Carnegie Mellon University 95-752:8 - 16
  • 17. Countermeasures for IP Security Deny service Encrypt data • Link • End-to-end • Application Separate authentication Firewalls © 2000 by Carnegie Mellon University 95-752:8 - 17
  • 18. Securing Services Any network service needs • System for storing information • Mechanism for updating information • Mechanism for distributing information Provision of security capabilities is independent, need is not © 2000 by Carnegie Mellon University 95-752:8 - 18
  • 19. Running a Secure Server General: • Minimize complexity • Minimize OS Capabilities • No arbitrary command execution on server • Input checking (length and content) • Untrusted server UID Must be root at start (port access), Changed ASAP Directory: content, access Secure Programs: includes, environment, trust, secrecy © 2000 by Carnegie Mellon University 95-752:8 - 19
  • 20. Firewalls Middle ground between protected and public nets Damage detection and limitation Uses • Block access • Selected prevention • Monitor • Record • Encryption © 2000 by Carnegie Mellon University 95-752:8 - 20
  • 21. Firewall Components Packet Filter • Default: Permit or Deny • Router or special equipment Servers • Untrusted, exposed • Public, fast access Bastion Host • Circuit Level or Application Proxy • Represents/conceals protected net • Clients and Proxies © 2000 by Carnegie Mellon University 95-752:8 - 21
  • 22. Firewall Architectures Lots of choices • Simple filter • Dual-ported hosts • Screened host • Screened subnet (DMZ) • Multiple firewalls © 2000 by Carnegie Mellon University 95-752:8 - 22
  • 23. Internal Firewalls Large organization Limit trust, failures, damage Ease recovery Guidelines • No file access across firewall • No shared login across firewall • Separate DNS • No trusted hosts or users across firewall © 2000 by Carnegie Mellon University 95-752:8 - 23
  • 24. Building Firewalls Do it yourself – Don’t Firewall Toolkits Complete Firewall Managed Security Provider Questions: • What am I protecting? • How much money? • How much access is needed? • How do I get users to use firewall? © 2000 by Carnegie Mellon University 95-752:8 - 24
  • 25. Wrappers, Proxies and Honeypots Wrappers – server-based software to examine request before satisfying it Proxies – bastion-based software to examine request before passing to server Honeypots – False response to unsupported services (for attack alarm, confusion) © 2000 by Carnegie Mellon University 95-752:8 - 25
  • 26. Bastion Considerations Make bastion a pain to use directly Enable all auditing/logging Limit login methods/file access Allow minimal file access to directories Enable process/file quotas Equivalent to no other machine Monitor! Monitor! Monitor! © 2000 by Carnegie Mellon University 95-752:8 - 26
  • 27. Common Firewall Failures Installation errors Policy too permissive Users circumvent Users relax other security Attract attacks (less common) Insiders Insufficient architecture Conclusion: Plan security as if firewall was failure © 2000 by Carnegie Mellon University 95-752:8 - 27
  • 28. Connectivity Bellovin - “The best firewall is a large air gap between the Internet and any of your computers, and a pair of wire cutters is the most effective network protection mechanism.” Do users need to access the Internet? Can they use shared access to some services? What services are: • Work-required • Work-related • Moral boosters • Unneeded © 2000 by Carnegie Mellon University 95-752:8 - 28
  • 29. Telecom Security Computers are communication Telephone access • Modem (telephone or cable) • Serial, direct connection Double-edged sword © 2000 by Carnegie Mellon University 95-752:8 - 29
  • 30. Modems and Security Modems are a popular tool for breaking security • Dial out: release secrets, attack • Dial-in: intrude on computers and networks Secure in layers © 2000 by Carnegie Mellon University 95-752:8 - 30
  • 31. Securing Modems As objects: physical, configuration, sequence As phone number: false-list, carrier-answer, restrict publication, change As phone lines: disable services, one-way, caller-id Cable communication: encryption, restricted access All of these approaches have limits © 2000 by Carnegie Mellon University 95-752:8 - 31
  • 32. Modems and Eavesdropping Your premises Wires/Cable Central Office Transmission links Countermeasures: • inspection, • Electronic sweeps • Encryption © 2000 by Carnegie Mellon University 95-752:8 - 32
  • 33. Additional Security Call-back modems Password modems Encrypting modems Caller-ID modems © 2000 by Carnegie Mellon University 95-752:8 - 33

Editor's Notes

  1. Fix is to have routers listen only to approved information sources, but this may involve pressure on vendors to fix current problems, as well as defining what an “approved information source” is. Many sites cannot afford to sacrifice flexibility in connectivity, so may have some tradeoffs here.
  2. Fix here is to have trusted means for proving identity of email authors, which has significant policy issues (sufficient trust, maintaining trust, signature authority, etc.) Lots of use on around April 1 (Chernenko@moskvax), but also to conceal attacks.
  3. Note animation here. Easy to do, lots of ways to do it, no easy fix except careful control on ISP end, which requires contractual support, and possibly authority to cut normal internet connection.
  4. Note pretty lengthy animation here: (sample tool: Tribal Flood Network) Basic net -- seen before, represents Internet and connected systems Intruder with toolkit -- not only do intruders magnify impact of kit by passing along to others, but are aggressively pursuing distributed technologies Initial intrusion -- intruder selects site with lax (or no) security Bomb factory -- installs software to coordinate distributed attack Bomb distribution -- either the intruder or the bomb factory scans broadly for vulnerable sites for attack agent installation (ref back to Internet Auditing Project) Bomb installation -- attack agents are loaded on a broad group of sites Flooding -- either on command or at a prefixed time, attack agents all hit designated target site. Hosts send 32,000 byte packets at designated rate for designated time Crashes -- 500 hosts sending 32,000 byte packets can easily overwhelm Internal host, internal LAN segments, internet connection Attack used in early 2000 web flooding. No simple or single-point defense for this, must have preparation at ISP and be able to coordinate response with attack-agent sites, also do what we can to reduce the vulnerable population of sites. Your security depends on the security of others. (If time, discuss regulatory role in fixing vulnerabilities in embedded systems.) Current tools work to attack routers with illegally formatted packets.
  5. What is diagrammed here is only one (simplest) variant. Very tough to block them all. Intruder sends to victim a link to the trusted site with malicious code embedded. The victim contacts the trusted site, inadvertently passing the malicious code on to be immediately sent back to the victim. Victim’s browser executes malicious code as if it came from the trusted site, doing whatever the intruder wanted, including release of internal data. Link at bottom of screen shows simplest form of embedding code, with actual html code replacing “evil”. See CERT Advisory 2000-02 for more details.
  6. This is more modern approach - tools that specifically trade off actions across computers in order to make investigation and defeat much more difficult. This breaks a lot of intrusion detection schemes.
  7. Anyone can use a toolkit--Include anecdote about DOS/Unix. Increased sophistication of intruder methods Increased availability of shrink-wrapped intruder toolkits Increased number of capable intruders Leads to Greater chance of a successful intrusion at organizations Greater difficulty detecting intrusions because of stealthiness of toolkits Bottom line: You must anticipate and prepare for how you will detect and respond to incidents. Also mention CERT/CC website, where event trend data is updated regularly and defensive tools and methods are available. Attacks on the following slides are ones seen currently.
  8. Use as recap of preceding slides (Note LOTS of attack methods). Note shift from “standard” CERT/CC slide to reflect that attacks are currently available to very close to the lowest level of intruder knowledge (Point-and-click level). Slide is also updated for 2000. The gold curve indicates the knowledge needed to perform an attack. It does not mean that intruders are becoming more stupid, although the average expertise level may be declining because of dilution of new, you, inexperienced attackers and there have been intruders with significantly below-normal intelligence. The precise curve points on this curve are estimates. The red line indicates the sophistication of the tools and toolkits used by attackers. Leveraging use of currently available technologies (code reuse, GUI, web, etc.) Creating easy-to-use exploitation scripts Developing increasingly sophisticated toolkits Transferring expertise to novices (lots of web sites with downloads) Scanning large blocks of addresses (ref Internet Auditing Project) Increasing impact by targeting the infrastructure. The cumulative effect of both curves is that the information need to break into a system is relatively flat over time. What is trading off is how much of that information is embedded in the tool vs. the user; and adding more to the tool allows many more users to do a given attack. Relate story of intruder who used tool to get into UNIX box and gain administrator privileges, then couldn’t use it because intruder did not know UNIX commands. Also note that many view administrator access as easier to automatically gain than user access, so that even attacks that don’t require administrator access are done at that level.
  9. Shape of curve is apocryphal, reflecting number of reports. Note that tool creation and use is getting much more sophisticated as intruders adopt open-source development style, building off of each other’s tools. Talk about cumulative effect of multiple bumps
  10. Graph is of the involvement of network services in any incident active during the given month (whether as attack vector or attack target). Note trade-off during June-July of DNS and FTP exploitation in incidents, due to publication of the format string exploit.