Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks Establishing small, well-guarded doors to provide secure access for the good guys. Reasonably secure because of no outside connectivity. (2) Open networks The networks of today are more open. Companies strike a balance by not only keeping the bad guys out but by developing increasingly complex ways of letting the good guys in. Mobile commerce and wireless networks demand security solutions. 1
Security: protection against malicious attack by outsiders Up to 80 percent of all security intrusions are initiated by internal individuals. Security measures should ensure: Users can perform only authorized tasks. Users can obtain only authorized information. Users cannot cause damage to the data, applications, or operating environment of a system. The system can track user actions and the network resources those actions access. Desirable Security Properties Confidentiality Integrity Availability Authentication Access Control (Authorization) 2
Confidentiality: protection of data from unauthorized disclosure to a third party. A business is responsible for protecting the privacy of its data (customer data and internal company data). The information of a company. The transmission of such information. Integrity: data is not altered or destroyed in an unauthorized manner. Availability: the continuous operation of public services. Authentication: determine whether someone or something is, in fact, who it is declared to be. Example: logon passwords. Access Control (Authorization): giving someone permission to do. Example: system administrator defines which users are allowed access to the system and what privileges of use (such as access to which file directories, hours of access, etc.). 3
Key Elements of Network Security Perimeter security Data privacy Security management Perimeter Security Routers and firewall with packet filtering control access to critical network applications, data, and services so that only legitimate users and information can pass through the network. 4
Data Privacy Provide authenticated, confidential communication. IP Security (IPSec) Security Management Regularly test and monitor the state of security preparation. Network vulnerability scanners can proactively identify areas of weakness Intrusion detection systems can monitor and respond to security events as they occur. 5
Weaknesses of Computer Networks A network typically consists of Protocols Desktop operating systems Network devices (router and firewall, etc.) used to pass data through the network. Vulnerabilities that can potentially be exploited: TCP/IP protocol weaknesses, including HTTP, ICMP, SNMP, SMTP. Operating system weaknesses, including UNIX, MS-Windows, OS/2. Network equipment weaknesses, including Password protection Lack of authentication Routing protocols Misconfigured protocols 6
Primary Network Threats Unstructured threats inexperienced individuals use easily available hacking tools, such as shell scripts and password crackers. The intention is testing and challenging a hacker's skills. Structured threats - hackers that are highly motivated and technically competent. They know system vulnerabilities. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses. External threats - individuals or organizations working outside of a company who do not have authorized access to the computer systems or network. Internal threats - someone has authorized access to the network with either an account on a server or physical access to the network. Internet Internal exploitation External exploitation 7
Different kinds of attacks Reconnaissance Eavesdropping System access Reconnaissance: unauthorized discovery of systems, services, or vulnerabilities. Known as information gathering Precedes an actual access or denial of service (DoS) attack. The malicious intruder typically (1) Ping sweeps the target network to determine which IP addresses are alive. (2) Uses a port scanner to determine what network services or ports are active on the live IP addresses. (3) Uses this information, the intruder queries ports to determine the application type and version, and the type and version of operating system running on the target host. (4) Determine if a vulnerability exists that can be exploited. 8
Reconnaissance Example: Discover vulnerable hosts and devices Step 1 Using ICMP to ping a range of IP addresses. Those IP addresses that return a successful reply are identified for possible later exploitation. Step 2 A port scan (Nmap [Network Mapper], nslookup, netcat, etc) attacks TCP/IP ports and services (FTP, for example) and records the response from the target. After the attack is completed, the hacker has a map of the following: Address ranges, hosts, host names, and services Known servers SMTP DNS (Domain Name System) HTTP HTTPS/SSL (HTTP Secure over Secure Socket Layer) Firewall might or might not be detected Methods to Counteract Attacks: IDS 9
Eavesdropping Capture TCP/IP or other protocol packets and decode the contents using a protocol analyzer. SNMP version 1 messages are sent in clear text. An intruder could eavesdrop on SNMP queries and gather valuable data on network equipment configuration. The capture of usernames and passwords as they cross a network. Host Router Router Host Types of Eavesdropping Information gathering - Network intruders can identify usernames, passwords, or information carried in the packet, such as credit card numbers or sensitive personal information. Methods to Counteract Attacks Issuing a policy that forbids the use of protocols with known susceptibilities to eavesdropping. Using encryption without imposing an excessive burden on the system resources or the users. 10
System Access The ability for an unauthorized intruder to gain access to a device for which the intruder does not have an account or a password. Usually involves running a hack, script, or tool that exploits a known vulnerability of the system or application being attacked. Man-in-the-Middle Attack A man-in-the-middle attack requires that the hacker have access to network packets that come across a network. Internet service provider (ISP) access to all network packets transferred between the ISP network and any other network. 11
Trust Exploitation An attack takes advantage of a trust relationship within a network. Compromise of one system can lead to the compromise of other systems. Domains in windows systems. A system on the outside of a firewall can have a trust relationship with a system on the inside of a firewall. 12
Other Access Attacks Data manipulation IP spoofing DOS Data Manipulation The network intruder capture, manipulate, and replay data sent over a communication channel. Graffiti - vandalizes a website by accessing the web server and altering web pages. Manipulation of data - alters files on the computer, such as password files, to enable further access to the network. Tools used to perform these attacks: Protocol analyzers record passwords as they pass over the network. Password crackers contain algorithms to allow unauthorized persons to crack passwords. 13
IP Spoofing Allows the network intruder to manipulate TCP/IP packets that falsifies the source IP address. Enables the intruder to appear to be a valid user; the intruder assumes the identity of that user and gains that user's access privileges. Direct broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originators from a node that is not itself part of that destination subnet. 14
Denial of Service Prevent authorized people from using a service by depleting system resources like disk space, bandwidth, buffers, and so on. TCP SYN flood attack - a DOS attack that is used to open a large number of half-open TCP connections to the target. Sessions are thereby denied to others. TCP Connection: Three-Way Handshake: SYN: A TCP client initiates a connection with a TCP server by sending a "SYN" packet. SYN/ACK: When a SYN packet is received, the server's operating system replies with a connection-accepting "SYN/ACK" packet. ACK: the client sends an ACK to acknowledge the request from the server for synchronization. 15
The server's receipt of a client's SYN packet causes the server to allocate memory for sending and receiving the connection's data. There is a limit to the number of "half open" connections a TCP server could handle. 16
Security Policy A formal statement of the rules by which people who are given access to an organization s technology and information assets must abide. Goal: ensure that system users, staff, and managers are informed of their responsibilities for protecting corporate technology and information assets. 17
Characteristics of a Good Security Policy The policy must be enforceable and it must apply to everyone. The policy must be capable of being implemented through system administration procedures. The policy must clearly define the areas of responsibility and the roles of users, administrators, and management. Security Wheel The security wheel is an effective approach used to verify that the countermeasure for security vulnerabilities is in place and working properly. 18
Implementation Applying the security policy and implementing the following security solutions: Authentication Firewalls VPN Vulnerability patching Monitor Monitoring security involves both active and passive methods of detecting security violations. Active method: audit host-level log files. Passive methods: IDS devices automatically detect intrusion. Test The security of the network is proactively tested. Vulnerability scanning tools such as Nmap is useful for periodically testing the network security measures. Manage and Improve Analyzing the data collected during the monitoring and testing phases. Developing and implementing improvement mechanisms that feed into the security policy. 19