Computer networks
Download
1 / 45

- PowerPoint PPT Presentation


  • 215 Views
  • Updated On :

Computer Networks Security Internet no central authority end systems in control no central knowledge of connections no per-packet billing legal issues not well understood anonymity is easy Internet/Telco Comparison Telephone System central authority network in control

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - Patman


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Internet telco comparison l.jpg

Internet

no central authority

end systems in control

no central knowledge of connections

no per-packet billing

legal issues not well understood

anonymity is easy

Internet/Telco Comparison

  • Telephone System

    • central authority

    • network in control

    • billing records per connection

    • legal issues well understood

    • provisions for law enforcement (wiretapping)


Internet security stinks l.jpg
Internet Security Stinks

  • Hosts are hard to secure

  • Bad defaults

  • Poor software

  • Fixes rarely applied

  • Average user/administrator is clueless

  • An overly secure system is not useful

  • It’s difficult to coordinate among sites


What to protect l.jpg

Authentication

are who you say you are

Nonrepudiation

no denying it

Access Control

don’t touch that!

Reputation

Ensure your good name

What to Protect

  • Confidentiality

    • snooping

    • encryption

  • Integrity

    • deletion, changes

    • backups

  • Availability

    • denial of service attacks



Physical security l.jpg
Physical Security

  • Trash bins

  • Social engineering

  • It’s much easier to trust a face than a packet

  • Protect from the whoops

    • power

    • spills

    • the clumsy

    • software really can kill hardware


Host based security l.jpg
Host Based Security

  • Recall End-to-End Argument

  • Security is ultimately a host problem

  • Key idea: protect the DATA

  • End hosts are in control of data

  • Users are in control of end hosts

  • Users can and often will do dumb things

  • Result: very difficult to protect all hosts


Internal security l.jpg
Internal Security

  • Most often ignored

  • Most likely the problem

  • Disgruntled employee

  • Curious, but dangerous employee

  • Clueless and dangerous employee


Security by obscurity l.jpg
Security by Obscurity

  • Is no security at all.

  • However

    • It’s often best not to advertise unnecessarily

    • It’s often the only layer used (e.g. passwords)

  • Probably need more security


Network based security l.jpg
Network Based Security

  • Should augment host based security

  • Useful for

    • Protecting groups of users from others

    • Prohibiting certain types of network usage

    • Controlling traffic flow

  • Difficult to inspect traffic

    • encryption can hide bad things

    • tunneling can mislead you

      Good book: Network Security: PRIVATE Communication in a PUBLIC World. Kaufman, Perlman and Speciner.


Layered defenses l.jpg
Layered Defenses

  • The belt and suspenders approach

  • Multiple layers make it harder to get through

  • Multiple layers take longer to get through

  • Basic statistics and probability apply

    • If Defense A stops 90% of all attacks and Defense B stops 90% of all attacks, you might be able to stop up to 99% of all attacks

  • Trade-off in time, money and convenience


Perimeter security l.jpg
Perimeter Security

  • Boundary between a trusted internal network and a hostile external network


Firewall solutions l.jpg
Firewall Solutions

  • They help, but not a panacea

  • A network response to a host problem

    • Packet by packet examination is tough

  • Don’t forget internal users

  • Need well defined borders

  • Can be a false sense of security

  • Careful not to break standard protocol mechanisms!


Packet filtering firewalls l.jpg
Packet Filtering Firewalls

  • Apply rules to incoming/outgoing packets

  • Based on

    • Addresses

    • Protocols

    • Ports

    • Application

    • Other pattern match




Example firewall ipchains l.jpg
Example Firewall: ipchains

-A input -s 192.168.0.0/255.255.0.0 -d 0.0.0.0/0.0.0.0 -j DENY

-A input -s 172.0.0.0/255.240.0.0 -d 0.0.0.0/0.0.0.0 -j DENY

-A input -s 10.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY

-A input -s 224.0.0.0/224.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY

-A input -s 0.0.0.0/0.0.0.0 -d a.b.c.d/255.255.255.255 22:22 -p 6 -j ACCEPT

-A input -s 0.0.0.0/0.0.0.0 -d a.b.c.d/255.255.255.255 1024:65535 -p 6 ! -y -j ACCEPT


Example firewall cisco router filters l.jpg
Example Firewall: Cisco Router Filters

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 172.0.0.0 0.15.255.255 any

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 0.0.0.0 0.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip 224.0.0.0 31.255.255.255 any

access-list 100 deny ip 1.2.0.0 0.0.255.255 any

access-list 100 permit tcp any host 1.2.3.4 eq domain

access-list 100 permit udp any host 1.2.3.4 eq domain

access-list 100 deny tcp any host 1.2.3.5 eq telnet log

access-list 100 deny tcp any host 1.2.3.6 eq syn log

access-list 100 deny ip any host 1.2.3.4

access-list 100 permit ip any 1.2.0.0 0.0.255.255

access-list 100 deny ip any any



Encryption l.jpg
Encryption

  • Make a readable message unreadable

  • Math intensive

  • Plain text versus cipher text

  • Algorithms and keys

    • public

    • private

    • key size


Shared secret key l.jpg
Shared Secret Key

  • Each party knows a secret

  • The secret is used to decrypt the cipher text

    • Book: Ulysses

    • Page: 7

    • Line: 23

    • Word: 4

  • Must know the book and keep it a secret



Public key cryptography l.jpg
Public Key Cryptography

  • Public Key

    • Everyone can use it to encrypt messages to you

  • Private Key

    • Only you know this key and only it decrypts messages encrypted with your public key

  • Keyring



Exploits overview l.jpg
Exploits Overview

  • Passwords

    • hacking and sniffing

  • System specific

    • NT, UNIX, NetWare, Linux

  • Application specific

    • web browser, ftp, email, finger

  • Protocol specific

    • spoofing, TCP hijacking, ICMP redirects, DNS

  • Denial of Service

    • PING of death, trinoo, tribe flood


The process l.jpg
The Process

  • Reconnaissance

  • Scanning

  • Exploit Systems

  • Keep access with backdoors/trojans

  • Use system

    • Often as a springboard

  • Cover any tracks


Buffer overflows and weak validation of input l.jpg
Buffer Overflows and Weak Validation of Input

  • Key idea: overwriting the something on the stack

  • Popular exploits with CGI scripts

  • Format strings

  • Regular users can gain root access

  • If exploit on TCP/UDP service, remote root can be accomplished


Network mapping l.jpg
Network Mapping

  • PING

  • DNS mapping (don’t need zone transfer)

    • dig +pfset=0x2020 -x 10.x.x.x

  • rpcinfo -p <hostname>

  • nmap <http://www.insecure.org/nmap/>

    • very nice!

  • Microsoft Windows is NOT immune

    • nbtstat, net commands

  • Just look around the ‘net!


Session hijacking l.jpg
Session Hijacking

If you can predict sequence numbers and spoof the source address, you might be able to pretend to be one end of the session. It helps if you can keep one end of the session busy while you’re hijacking.



Password cracking l.jpg
Password Cracking

  • Very common today

  • If attacker can get a hold of the password file, they can go offline and process it

  • Recall

    • passwords are a form of obscurity

    • multiple defenses may be needed

  • Given enough time, passwords alone are probably not safe


Viruses and worms l.jpg
Viruses and Worms

  • Programs written with the intent to spread

  • Worms are very common today

    • Often email based (e.g. ILOVEYOU)

  • Viruses infect other programs

    • Code copied to other programs (e.g. macros)

  • All require the code to be executed

    • Proves users continue to do dumb things

    • Sometimes software is at fault too


Denial of service dos l.jpg
Denial of Service (DoS)

  • Prevents or impairs standard service

  • SYN flooding

  • SMURF attacks

  • Distributed Denial of Service (DDoS)

  • Most effective when source address can be spoofed

  • Difficult to differeniate between valid traffic




Dos solutions l.jpg
DoS Solutions

  • Ingress/Egress filtering

  • ICMP Traceback

  • Packet Marking

  • Rate-limiting

  • Difficult to solve completely!


Network address translation l.jpg
Network Address Translation

  • Removes end-to-end addressing

  • Standardized in RFC 1918

  • NAT has been bad for the Internet

  • Provides relatively no security with a great deal of cost - this slide shouldn't be here

  • NAT has been required for sites with IP address allocation problems

  • NAT may be used for IPv6 transition




Key idea l.jpg
Key Idea

A session between two endpoints that is secured from eavesdroppers and all threats on the network in between, usually through the use of encryption technology.


Why is this worthwhile l.jpg
Why Is This Worthwhile?

  • Cost, Cost, Cost!

    • Ability to make use of a public, insecure network, rather than building your own private, secure network


Challenges l.jpg
Challenges

  • Increased overhead

  • Complexity

  • Performance

  • Quality

  • Management



Other areas of interest l.jpg
Other Areas of Interest

  • IP multicast

  • Routing protocols

  • Privacy issues

  • IPsec

  • Intrusion Detection Systems (IDS)


References l.jpg
References

bugtraq mailing list (see http://www.securityfocus.com)

http://www.cert.org

http://www.cerias.purdue.edu

http://www.first.org

http://packetstorm.securify.com

http://www.research.att.com/~smb/

http://cm.bell-labs.com/who/ches/

http://www.denialinfo.com

http://www.cs.georgetown.edu/~denning/

http://www.washington.edu/People/dad/

http://www.sans.org

http://theory.lcs.mit.edu/~rivest/

http://networks.depaul.edu/security/


ad