1 / 26

CSCE 815 Network Security Lecture 21

CSCE 815 Network Security Lecture 21. Intrusion Detection Systems. April 8, 2003. Hackers and Crackers. The Difference A hacker is a person intensely interested in the workings of the Operating System A cracker is someone who breaks into or violates system integrity

ismail
Download Presentation

CSCE 815 Network Security Lecture 21

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 815 Network Security Lecture 21 Intrusion Detection Systems April 8, 2003

  2. Hackers and Crackers • The Difference • A hacker is a person intensely interested in the workings of the Operating System • A cracker is someone who breaks into or violates system integrity • Tools of the Trade • Reconnaissance of targets systems and users • Port Scanners • Passive Operating System Identification • Exploits and the SANS top 20 • Exploits – known ways to break into a system • SANS Top 20 Most Critical Internet Security Threats

  3. Tools of the Trade • Tools of the Trade • Reconnaissance of targets systems and users • Port Scanners • Passive Operating System Identification • Exploits and the SANS top 20 • Exploits – known ways to break into a system • SANS Top 20 Most Critical Internet Security Threats

  4. Reconnaissance • Reconnaissance of targets systems and users • Social Engineering [Corporate Espionage, Ira Winkler] • E.g. • Call main number “I’m new employee, what the help desk number?” • Call help desk explain again and ask for username, a password, and how to access the system remotely. • Help desk worker never questions. • Dumpster diving • Impersonations – “This is Dean White and I’ve forgotten my password and I’ve got to get this email to the President before 5:00. Give me my password!”

  5. Scanners • Port Scanners • Programs that check the computer’s TCP/IP stack for ports in the listen state • Port ranges: www.iana.org/assignments/port-numbers • 1-1023 – well known e.g. on port 80 the web server is listening • 1024-49151 – registered ports • 49152-65535 – dynamic ports • TCP three way handshake RFC 793 • TCP packets: SYN, ACK, FIN, RST, sent and response noted • Scanners – do not use these!!! People will infer things! • Nmap (www.insecure.org) • hping2

  6. Passive Operating System Identification • aka Operating System Fingerprinting – identify the type of Operating System from it TCP/IP stack • TCP/IP parameters • ip_default TTL (time to live) (Linux=64, Windows=128) • ip_forward - • tcp_sack Selective Acknowledgement Std. (Linux = 1) • tcp_timestamps (Linux = 1) • tcp_window_scaling (Linux = 1) • Send various packets and observe fields in headers.

  7. Exploits • Exploiting weaknesses in the system • http://www.online.securityfocus.com/archive/1

  8. SANS Top 20 • SANS Institute http://www.sans.org/top20 • Top 20 Most Critical Internet Security Threats • Common Vulnerabilities and Exposures • www.cve.mitre.org

  9. Computer Security • Not a state, it’s a constant process • Configure system as securely as possible • Discover vulnerability • Exploit becomes public knowledge • Vendor responds with upgrade or patch • Stay on top of alerts/patches • Learn of exploit • Assess potential impact • Download patch, test, install

  10. Information Overload • Web Sites • Mailing Lists • Out of 100 messages • 12-15 worthwhile • Rest: me-too’s and spam • Tips for System Administrators • Set-up special “security” email account • Or partition it further • Perl scripts analyze email and save into directories by OS

  11. Computer Emergency Response Team • Computer Emergency Response Team (CERT) Software Engineering Institute, Carnegie Mellon www.cert.org Created in response to 1988 Morris Worm incident • Issued hundreds of advisories • Responded to more than 140,000 reports of internet break-ins • Responded to more than 7000 vulnerabilities • [www.cert.org/stats/cert_stats] • On call 24 hours a day for those suffering break-in • Others: • Dept of Energy Computer Incident Advisory Cap: www.cisc.org/ciac • National Inst. of Standards and Tech.(NIST) csrc.nist.gov • Mailing Lists

  12. Usenet Security Newsgroups • alt.2600.crackz • alt.2600.hackerz • alt.computer.security • alt.hackers.malicious • alt.security • alt.security.pgp • comp.security.firewalls • comp.lang.java.security • comp.os.linux.security

  13. Physical Security • Mentality “firewalls fix everything” • More than 50% of security breaches come from inside • Types of Harm • Server compromise • Network infrastructure compromise • Workstation compromise (Trojans) • Loss or theft of proprietary data • Transmission of inaccurate data • Denial of Service

  14. The Human Dimension • Dimension: least risk to most • Members of public • Temporary employees • Departmental users • Infrastructure • Server • Administrators • Scofflaw employees – that want to bypass security rules for their convenience, e.g., installing own modem • IT employees: logic bomb

  15. Physical Security: “Do”s • Do: lock wiring closets • Do: use switches rather than hubs (esp. for admins) • Do: change locks immediately when employee leaves • Do: erase hard drives when you take them out of service • Do: use a paper shredder • Do: lock the server cabinets • Do: restrict or forbid the use of modems on desktops • Do: make sure road laptops and PDAs are secure • Do: consider use of smart-cards rather than passwords for administrators

  16. Recommended Reading • Comer, D. Internetworking with TCP/IP, Volume I: Principles, Protocols and Architecture. Prentic Hall, 1995 • Stevens, W. TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley, 1994

  17. Physical Security: “Don’t”s • Don’t: send off-site backups to unsecured sites • Don’t: give keys to vendors • Don’t: allow adhoc access to data center • Don’t: share wire closets with printers etc. • Don’t: put servers in unsecured areas • Don’t: leave server keys on back on server • Don’t: let cleaning people in without escort • Don’t: store sensitive data on user drives (or encrypt) • Don’t: discuss passwords over non-secure channels • Don’t: put consoles near windows

  18. Protocol Review • IP internet protocol – routing packets through network • TCP – connection oriented transport • UDP – • ARP – address resolution protocol • ICMP – internet control message protocol • Application layer – FTP, HTTP, SMTP, SNMP, SSH

  19. Spoofing Attacks • Spoofing means fraudulently authenticating one machine as another • P 131 “A Short Overview of IP Spoofing” • www.nmrc.org/files/unix/ip.exploit.txt • Preventing IP spoofing • have your routers reject packets with local addresses from the outside • also have them reject internal packets claiming to originate from the outside

  20. ARP Spoofing • Address resolution Protocol (ARP) • IP address  hardware(ethernet) address mapping • send ARP packet “who has IP address and what is your hardware address?” • ARP cache – table of recent responses • ARP Spoofing • Assume IP address “a” of trusted host • Respond to ARP packets for address “a” • Sending false hardware address (I.e. the fraud’s address) • Solution: make ARP cache static (manual updates!?!)

  21. DNS Spoofing • Domain Name System (DNS) • hierarchical name servers map FQDN  IP address • UDP packet sent with name to name server

  22. Web Spoofing

  23. Security Myth • “The only secure computer is the one that is turned off and unplugged” • Once connected to internet it becomes a target • So shutdown all unnecessary services. • Myth 2 “My firewall will stop the pesky crackers!”

  24. The Players, Platforms and Attacks • The Players: • The Black Hats • Script kiddies • The White Hats • Platforms of attackers • Windows • Linux/NetBSD/FreeBSD • OpenBSD billed as “the most secure OS freely available” • Attacks • Denial of Service • Viruses, Trojans, malicious scripts • Web defacement

More Related