Introduction. Network Security HS Security Trends

Transcription

1 Introduction Network Security HS 2014 Security Trends Network Security HS 2014

2 Why is network security an issue? , web sites, video conferencing, instant messaging, voice over IP, e-commerce, e-government, distributed control systems (for energy, water, traffic etc.), social networks... Economy and our life more and more depends on the Internet Distributed information systems have become critical infrastructures Open systems technology is standardized and is no longer a secret Insecurity driven by organized crime Entirely new «business models» Huge and fast growing Internet user base (est.: 2.80 billion) increasing risk (both damage potential and probability of occurrence increase) ETH Zurich, Intro Network Security NSHS08H Internet Security Evolution Figure courtesy Engin Kirda, Northwestern University ETH Zurich, Intro Network Security NSHS08H

3 Cybercrime is now a business ETH Zurich, Intro Network Security NSHS08H Klikparty, 2007 Credits Engin Kirda Klikparty, 2007 Credits Engin Kirda ETH Zurich, Intro Network Security NSHS08H

4 Security Threats Network Security HS 2014 Asymmetric threat and leverage Asymmetric Threat IT and the Internet continually give attackers new opportunities for leverage - automation, technique propagation - distant action in a network - security unaware users join the Internet Attacker tries a few exploits on a few systems, but defenders must secure all systems against all exploits Leverage You may reach 100 million potential subjects (customers, or victims) We can t count on previous constraints (e.g. travel cost, cost of physical shipment) to limit the effectiveness of an attacker Scary aspect of modern technology ETH Zurich, Intro Network Security NSHS08H

5 Attacker Motivation Ego To show the world what one can do To impress peers To live some fantasy of omnipotence Revenge, destruction, creation of fear: Cyber warfare Terrorism Secret service activities (Stuxnet 2010, Snowden/NSA 2013) Direct revenge (e.g. a disgruntled former employee) Criminal intent Blackmail, racketeering (Schutzgelderpressung) Credit card fraud Infiltrating e-banking Spamming, phishing ETH Zurich, Intro Network Security NSHS08H Attacker Motivation (cont.) Acquisition of computing and network resources: Typically commercial motivation, stealth is usually desired Has become widespread in the last few years: Botnets - The cybercriminal s cloud - Botnets have 10k to >1M hosts, have been used in DoS attacks... Often causes overall network degradation and cost for protection (e.g. Spam) collateral damages are significant Acquisition of sensitive information: Industry espionage by competitors and intelligence agencies Undercover criminal investigations ( On-line-Durchsuchung in Germany, ETH Zurich, Intro Network Security NSHS08H

6 What can attackers do? Attack flow of information Send fake messages Replay messages Modify messages in transit Attack services to achieve denial of service Overload system resources Attack Internet infrastructure DNS, BGP, ARP Gain unauthorized access to services Infiltrate security protocols or processes (e.g. MITM) Change system functions Infiltrate system with attack code Modify foreign web pages change appearance of a webpage Place attack code Hijack user sessions E-banking Assume false identity Use social engineering to establish trust Break crypto etc. ETH Zurich, Intro Network Security NSHS08H Where are the attack targets? Hackers attack us where we sit: Client-side attacks dominate Browser attacks now target plug-ins IFrame based attacks are now prevalent Attacks of all shapes and sizes Anti-virus worms Social networking attacks -MySpace & Facebook Phishing -banking industry is target #1 Web mines - rather than Documents - PDFs are no longer safe! Data stored on end-points is often most valuable and the least protected! ETH Zurich, Intro Network Security NSHS08H

7 ETH Zurich, Intro Network Security NSHS08H Security Concepts Network Security HS 2014

8 What is the goal of security? Confidentiality Integrity Availability And more: Authenticity Accountability Non repudiation Privacy Glossary: The CIA triad Confidentiality: prevention of unauthorized disclosure of information Integrity: prevention of unauthorized modification or deletion of information Availability: prevention of unauthorized withholding of information ETH Zurich, Intro Network Security NSHS08H I C A Attack classification Passive attacks Active attacks Confidentiality Availability Integrity and Authenticity Compromise of content Traffic analysis Classification due to Steve Kent, BBN Technologies Denial of service Modification Fabrication Replay ETH Zurich, Intro Network Security NSHS08H

9 Establishment of a virtual secure channel Content integrity, confidentiality Source authenticity Security measures Secure Channel Authorized recipients Alice Internet Bob ETH Zurich, Intro Network Security NSHS08H What is a secure channel? Not confidential channel An attacker can eavesdrop on all information sent. Confidential channel No eavesdropping possible on information sent. Not authentic channel The receiver has no guarantee that the sender is the one he claims to be, and that the content is original. Authentic channel The receiver can be assured that the sender of the information is the one he claims to be and that the content is original. Channel type Not authentic authentic Not confidential confidential secure = authentic and confidential ETH Zurich, Intro Network Security NSHS08H

10 Secure communication using insecure channel Attacker Has full access to the physical channel Knows all mechanisms and protocols Does not know any secret keys Part of Kerckhoff s design principles for military ciphers Message Message Secret Key 1 Security transformation encryption Channel Security transformation decryption Secret Key 2 Sender Receiver ETH Zurich, Intro Network Security NSHS08H Access control Legitimate user attacker Access control Information system (hardware, software, storage, applications) Local security measures intrusion detection, event logging, local access control... ETH Zurich, Intro Network Security NSHS08H

11 System Map: Security on different OSI layers User Interface Intrusion detection/protection, spam filtering, economic incentives, legal enforcement, forensics User Interface Auth Application SSH Application Auth Auth Application Transport SSL Transport Transport Network IPSEC Network Network Physical Layer Link encryption Physical Layer Quantum Cryptography Physical Layer Hardware and software platforms and environments ETH Zurich, Intro Network Security NSHS08H Conclusions and take home message Network Security HS 2014

12 Take Home Message Decades of security problems: Security is a process, not a one time thing What is the security goal? Know the CIA triad! Attacks differ a lot but can be classified Cryptography can provide secure channels in an insecure network Security can be implemented at different OSI layers Know some significant historic attack cases (see reader on Moodle) ETH Zurich, Intro Network Security NSHS08H Threats to Civilization Image source: Kevin Siers, North Carolina, The Charlotte Observer ETH Zurich, Intro Network Security NSHS08H

13 Firewall Techniques November 2014 Firewall techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network which has different levels of trust. Types of operation Simple packet filter Stateful filter Application layer/ proxy based

14 Firewall Rules Filtering Ingress: Filter incoming traffic Egress: Filter outgoing traffic Default Policy Accept all versus reject all Deny Access Drop -silently drop packet Reject -drop packet and inform sender Transparency firewall and network fingerprinting Firewall Rule Processing NIC = Network Inteface Card

15 Stateless Firewall - Packet Filter Functionality examine a packet at the network layer decision based on header in packet Pros application independent good performance and scalability Cons No state or application context Source: CheckPoint Stateful Firewall Functionality keep track of the state of the network connections decision based on session state Pros easyer to specifiy rules Cons state explosion state for UDP?

16 Application Layer Firewall Functionality take application state into security decision Pros application layer awareness Cons supported application protocols performance, scalability Firewall Attack/Bypass Techniques IP Address spoofing Fragmentation the port number is only in the first fragment meaning that filtering on TCP or UDP is lost without reassembly, attack gets through Vulnerabilities exploiting vulnerabilities in firewall software/os Denial of Service state explosion (what s the FW fallback policy?) Tunneling/covert channel submit data in ICMP ping packets, DNS channel,..

17 Firewall Detection 1 Port scanning identify potential firewall IP through traceroute port scan targets, analyze response - Check source IP of responses of blocked/open ports - Analyze differences in responses Firewall defense firewall improves obscurity by spoofing the source address of the RST/ACK packet to be that of the target host Tools: nmap, firewalk, hping Firewall detection 2 Play with Time to Live (TTL) set packet TTL to expire one hop past firewall if packet is passed by firewall, a TTL expired should be received If packet is blocked by firewall, either of the following could occur: - an ICMP administratively prohibited response is received. - the packet is dropped without comment. Firewall defense firewall checks for low TTL firewall spoofs or creates response

18 Firewall implementation November 2014 Firewall setup: Two Variants Internet DNS Firewall 1 Firewall 2 public servers Protected internal network (DMZ de-militarized zone ) Variant 1 Internet Firewall DNS public servers Protected internal network Variant 2 (DMZ de-militarized zone )

19 Firewalling with Linux iptables: How packets traverse the kernel Destination NAT (Pre- Routing) Routing Forward Chain Source NAT (Post- Routing) ipchains Drop or iptables Input Chain Local Process Output Chain Drop Drop Chains Chain: Set of rules which are interpreted sequentially Interpretation stops when a target or the end of the chain is reached Targets: ACCEPT, DROP, REJECT, LOG, RETURN Built-in chains: INPUT, OUTPUT, FORWARD Chain policy: Sets implicit target at the end of the chain User-defined chains: Like subroutines When end of chain is reached: If a built-in chain: Policy of the chain is applied If a user-defined chain: Next rule of the calling chain will be applied (implicit RETURN)

20 Operations on chains Create new chain iptables N chain_name Erase all rules in chain iptables F chain_name Remove empty chain iptables X chain_name Set chain policy iptables P chain_name target Managing rules in a chain add: delete: insert: iptables A chain_name rule_spec iptables D chain_name rule_num iptables I chain_name [rule_num] rule_spec Rules A rule specifies a filter and optionally a target Rules may be inserted in chains and deleted from chains chains can be built up and changed dynamically Filters can use different criteria (match or don t match) Source and destination addresses: -s, -d Protocols: -p Interfaces: -i, -o TCP flags: --protocol tcp --tcp-flags examine flags_set

21 Examples iptables L INPUT iptables P INPUT DROP iptables A INPUT s p icmp j DROP iptables A INPUT s! j ACCEPT iptables A INPUT p! tcp -j DROP iptables D INPUT 14 Documentation A compact user guide to iptables: (somewhat outdated) An extensive tutorial on IP and iptables: Ubuntu: man iptables