CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Networks, the Internet Tool support CS2107 Introduction to Information and System Security (Slide set 8) National University of Singapore School of Computing July, 2015 CS2107 Introduction to Information and System Security (Slid

Networking

Outline Networks, the Internet Tool support 1 Networks, the Internet The Internet Basic networking 2 Tool support For observing the environment IDS - Intrusion Detection Systems CS2107 Introduction to Information and System Security (Slid

Outline Networks, the Internet Tool support 1 Networks, the Internet The Internet Basic networking 2 Tool support For observing the environment IDS - Intrusion Detection Systems CS2107 Introduction to Information and System Security (Slid

Outline Networks, the Internet Tool support The Internet Basic networking 1 Networks, the Internet The Internet Basic networking 2 Tool support For observing the environment IDS - Intrusion Detection Systems CS2107 Introduction to Information and System Security (Slid

Internet history Moments in time...

Objects in space... Networks, the Internet Tool support The Internet Basic networking The first network, the first router, the first message... The original network diagramming tool was a pencil, and the first network had four routers (originally called IMPs), and four nodes (At UCSB, UCLA, SRI and University of Utah). The first successful transmission was from UCLA to SRI in September 1969, and was recorded in the UCLA logbook. CS2107 Introduction to Information and System Security (Slid

Structure of networks now... More in the tutorial... The "Internet" The "Internet" R R R DMZ R intranet R Laptop Web server The topology of the Internet, particularly nearer the edge of the Internet, appears more like a tree than a lattice, and we use the routers to control access to and from the smaller local networks.

Firewalls When a router is protecting you... Firewalls are brick walls often found in wooden buildings and are supposed to prevent the spread of fire. In networking we use the same idea - the firewall is a router, which limits access to and from the Internet. We normally imagine that the fire is on the Internet side :)

Outline Networks, the Internet Tool support The Internet Basic networking 1 Networks, the Internet The Internet Basic networking 2 Tool support For observing the environment IDS - Intrusion Detection Systems CS2107 Introduction to Information and System Security (Slid

Networks, the Internet Tool support The Internet Basic networking Basic basic basic networking... Internet traffic sent in packets... Routing info added (to and from addresses, size, type of message, sequence number) Little message Lots of opportunity to modify routing information, spoof etc CS2107 Introduction to Information and System Security (Slid

Networks, the Internet Tool support The Internet Basic networking Basic basic basic networking... The OSI reference model and the IP reference model... Application Presentation Session Transport Network Datalink Physical OSI Application Transport Network Network Link IP FTP HTTP DNS POP SSH TELNET RTP SIP NTP TLS/ SSL... TCP UDP... IP ICMP IGMP... PPP ARP... CS2107 Introduction to Information and System Security (Slid

Basic basic basic networking... Jargon, layers, names, addresses, services/ports... Connections Layered addresses Router (3 interfaces) 212.3.4.5 192.168.1.1 Application HTTP:dbs.com.sg 192.168.0.1 80 25 web mail Web and mail Server 192.168.0.123 Transport Network Link TCP:192.168.0.123:80 192.168.0.123 f8:1e:df:e2:b4:63 The router/gateway above has 3 interfaces, each with an IP address, and attached to a network. The web and mail server is a single machine with one interface, and two open ports - one for the web server, and the other for mail. Addresses like 192.168.* are not routable over the Internet.

Configuration of routers/firewalls... A router/firewall is a computer, with routing software The underlying principle for routers is to disallow every packet, and then only enable forwarding of those packets that are needed. An example of fail-safe defaults. Some firewalls base their decision to forward a packet by looking just at the content of each packet; others keep track of what you have done previously. In any case, firewall/routing software has rules to allow or disallow connections between interfaces. If we had a router with two attached networks (WAN and DMZ): iptables -A FORWARD -s 0/0 -i WAN -d 192.168.0.123 -o DMZ -p TCP \ --sport 1024:65535 -m multiport --dports 80 -j ACCEPT This tells the router software to accept packets from a WAN interface and forward them to a web server (port 80, address 192.168.0.123, on a DMZ interface). How complex is that?

Networks, the Internet Tool support The Internet Basic networking Configuration of routers/firewalls... Complex systems lead to security concerns Consider the following points: 1 The iptables command given in the previous slide is typical of many used to configure a router/gateway. 2 On my system at home, I have a total of 120 rules like that, as I provide various services including a SMS/SIP gateway. 3 The likelihood that my system with 120 rules is secure is very low. We must assume mistakes could have been made, and be cynical about the security of the network. CS2107 Introduction to Information and System Security (Slid

Outline Networks, the Internet Tool support For observing the environment IDS - Intrusion Detection Systems 1 Networks, the Internet The Internet Basic networking 2 Tool support For observing the environment IDS - Intrusion Detection Systems CS2107 Introduction to Information and System Security (Slid

Observing your network Command like ping, traceroute... The command ping sees if a remote host will respond to us - do we have a connection? ping www.govt.nz The command traceroute sends a series of small packets across a network, and attempts to display the route (or path) that the messages would take to get to a remote host. traceroute www.govt.nz traceroute -I/T www.govt.nz Other commands may also be useful - ifconfig, netstat, route and so on.

Observing wifi networks A Wifi scanner program...

Observing networks and mapping machines The nmap program mapping out my ipad...

Observing network traffic Wireshark displaying an ethernet frame...

Outline Networks, the Internet Tool support For observing the environment IDS - Intrusion Detection Systems 1 Networks, the Internet The Internet Basic networking 2 Tool support For observing the environment IDS - Intrusion Detection Systems CS2107 Introduction to Information and System Security (Slid

Intrusion Detection Systems From Wikipedia... An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts

Sample IDS: snort From Wikipedia... Snort is a free and open source Network Intrusion prevention system (NIPS) and network intrusion detection (NIDS) capable of performing packet logging and real-time traffic analysis on IP networks. Snort performs protocol analysis, content searching/matching, and is commonly used to actively block or passively detect a variety of attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS fingerprinting attempts, amongst other features. The software is mostly used for intrusion prevention purposes, by dropping attacks as they are taking place. Snort can be combined with other software such as SnortSnarf, sguil, OSSIM, and the Basic Analysis and Security Engine (BASE) to provide a visual representation of intrusion data...

Sample IDS interface Snort web-based interface showing alerts...

Summary... Networks, the Internet Tool support For observing the environment IDS - Intrusion Detection Systems This lecture was mostly about network issues Some basic networking information, and jargon A plea to use independent tools to check configurations CS2107 Introduction to Information and System Security (Slid