CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human supervision Distance Opaqueness, hidden distance Routing diversity and fault tolerance 1-2 Sources of vulnerabilities Anonymity Many points of attack Sharing Complexity Unknown perimeter, expandability Unknown paths Users do not control routing! 1-3 Rev 1.1 1-1
Threat Precursors Port Scans open ports send responses to inquires. Depicts services, OS versions. Application fingerprinting (HTTP-80, SMTP-25, POP-110, FTP-21, ). Social engineering, reconnaissance. Eavesdropping, wiretapping. 1-4 Interesting Threats Protocol flaws Not as common any longer. Impersonation Spoofing Masquerade: host pretends to be a similar named one. Session hijacking: Intercepting and stealing the session. Man-in-the-middle: A third entity intrudes from the beginning of the session. Foiled by asymmetric cryptography. 1-5 Interesting Threats (2) Denial of Service (DOS) Transmission failure, connection flooding. Syn flood (losing handshake packets). Traffic redirection A corrupted router advertises best path. DNS attacks (Domain Name Server) BIND programs suffer from flaws, allowing for incorrect name-address mappings). Distributed DOS Trojan horses planted in multiple computers, each performs a DOS attack against the same target. 1-6 Rev 1.1 1-2
Threats to active code Cookies: What do they contain? Scripts CGI scripts encode communicated data. For example, %OA (EOL) instructs interpreter to accept next line as a new command http://www.t1.com/cgi-bin/qu?%oa/bin/cat/%20/etc/passwd Active Code Java 1.1 disabled code from writing on the disk. Subsequent versions relaxed the sandbox security. Hostile applets. Active X (Microsoft s response to Java). Crypto signatures of code. 1-7 Network Security Controls Architecture (segmentation) Encryption Virtual Private Networks Session keys established between the user and the target system s firewall. Encryption provides an encrypted tunnel. PKI and certificates SSH and SSL (secure sockets layer) encryption IP Sec, IP security protocol. Supports encryption in Internet traffic. 1-8 Distributed System Security Encryption valuable within the system boundaries. In a distributed system, secure access to data, programs and other resources is needed. Seamless access, regardless of the physical location. Access control mechanism must: Protecting access points. Authenticating network nodes. 1-9 Rev 1.1 1-3
Port Protection Authentication far more difficult for dial-ups. Any phone in the world is an access point. Automatic call-back Upon user identification, the line is broken. Computer calls back the user, using the table lookup for the number. Works for multiple registered numbers too. An easy way to establish 2-way authentication. 1-10 Port Protection (2) Differentiated access rights. Access to sensitive data allowed from safe houses (numbers) only. Silent modems Solve the systematic dial-up problem. Waits for the caller s modem to send the first tone. Authentication is still not addressed. 1-11 Firewalls Appeared in 90 s, but reflect reference monitor concepts from the 70 s. A firewall filters traffic at the network boundary. For performance reasons, usually runs on a dedicated device. Default deny vs. default permit. Specific policy can be defined by an admin. 1-12 Rev 1.1 1-4
Firewalls 1-13 Types of firewalls Packet filtering gateway (screening router). Statefull inspection firewall Application proxy Personal firewall Screening is simpler than proxying. 1-14 Packet filtering gateways Filters packets based on address or transport protocol information. Only IP address or port information screened. Packet filtering (screening) gateway Blocked network 1 Forged (inside) address HTTP, e-mail telnet Accepted network 2 1-15 Rev 1.1 1-5
Packet Filters A packet coveys the following information Source IP address and port Destination IP address and port Information about the protocol Error checking information 1-16 Statefull inspection firewall Can track the sequence of packages Instead of just individual ones. Can prevent unusual traffic patterns from unknown sites. 1-17 Application proxy Simulates application behavior to the outside world. 1-18 Rev 1.1 1-6
Application proxy (2) Implementation example 1-19 Personal firewalls Suitable for broadband home users. Protecting single workstation or small networks. Runs on the workstation itself (not in isolation). Blocks unwanted network traffic. Java applets, Active X, leakage of personal data, closes ports. Usually generate activity and access logs. May be combined with virus scanners. Provide reasonable protection. 1-20 Rules of use Firewall needs to control entire network perimeter, no unmediated connections. Protection for internal network only. Firewall is visible to outside world. Target to attacks. Provide layers of firewalls. No protection against packets that cross the perimeter! 1-21 Rev 1.1 1-7
Defense in depth Multiple LAN configurations Intermediate LAN Outmost network Internet Screening router Proxy 1-22 Rev 1.1 1-8