Professional Documents
Culture Documents
INTERNET INSECURITY
SECURITY OBJECTIVES
CONFIDENTIALITY
disclosure
INTEGRITY
modification
AVAILABILITY
access
USAGE-CONTROL
purpose
SECURITY TECHNIQUES
Prevention
access
control
Detection
auditing/intrusion
incident
detection
handling
Acceptance
practicality
THREATS, VULNERABILITIES
ASSETS AND RISK
THREATS
RISK
Outsider
insider attack
Insider
Attack
Attack
outsider attack
6
PERSPECTIVE ON SECURITY
No silver bullets
A process NOT a turn-key product
Requires a conservative stance
Requires defense-in-depth
A secondary objective
Absolute security does not exist
PERSPECTIVE ON SECURITY
absolute
INTRUSION SCENARIOS
CLASSICAL INTRUSIONS
SCENARIO 1
Insider
Insider
attack
acquires privileged access
Install
backdoors/Trojan horses to
facilitate subsequent acquisition of
privileged access
10
CLASSICAL INTRUSIONS
SCENARIO 2
Outsider
attack
Acquire access to an authorized
account
Perpetrate an insider attack
11
NETWORK INTRUSIONS
SCENARIO 3
Outsider/Insider
attack
Spoof network protocols to
effectively acquire access to an
authorized account
12
DENIAL OF SERVICE
ATTACKS
Flooding
13
INFRASTRUCTURE
ATTACKS
router
attacks
modify
router configurations
domain
sites
ftp archives
14
INTERNET ARCHITECTURE
AND PROTOCOLS
15
higher
level
protocols
END USER A
END USER B
Application Layer
Application Layer
Presentation Layer
Session Layer
End
user
functions
Transport Layer
lower
level
protocols
or
network
services
Network Layer
Data Link Layer
Physical Layer
Presentation Layer
Session Layer
higher
level
protocols
Transport Layer
Network
functions
Network Layer
Data Link Layer
Physical Layer
lower
level
protocols
or
network
services
PHYSICAL MEDIUM
Ravi Sandhu 2000-2004
16
END USER A
higher
level
protocols
higher
level
protocols
lower
level
protocols
or
network
services
lower
level
protocols
or
network
services
SOURCE NODE
INTERMEDIATE
NETWORK NODE
DESTINATION NODE
17
TELNET
FTP
SMTP
TCP
UDP
HTTP etc
IP
Ethernet
(Internet Protocol)
connectionless
UDP
unreliable
TCP
routing of packets
datagram protocol
connection-oriented,
reliable, transport
protocol
Ravi Sandhu 2000-2004
19
20
TELNET
DNS
SMTP
TCP
UDP
HTTP etc
RIP
EGP
BGP
ICMP
FTP
IP
Ethernet
ARP
RARP
21
22
TELNET
DNS
ICMP
SSL
FTP
TCP
SMTP
UDP
HTTP
EGP
BGP
RIP
IPSEC
IP
Ethernet
ARP
RARP
Token-Ring ATM
23
INTERNET STANDARDS
PROCESS
24
25
RFCs
Standards
Proposed Standard
Draft Standard
Internet Standard
Informational
Experimental
Historic
IETF drafts
work in progress
expire after 6 months
26
MUST
SHOULD
MAY
possibility
even if not stated a may is always allowed
unless it violates MUST NOT
27
TCP/IP VULNERABILITIES
28
BASIC TCP/IP
VULNERABILITIES
many
dangerous implementations of
protocols
sendmail
many
dangerous protocols
NFS,
X11, RPC
many of these are UDP based
29
BASIC TCP/IP
VULNERABILITIES
solution
allow
30
IP PACKET
header
data
carries
or
or
a layer 4 protocol
TCP, UDP
a layer 3 protocol
ICMP, IPSEC, IP
a layer 2 protocol
IPX, Ethernet, PPP
31
TCP INSIDE IP
IP
HEADER
TCP
HEADER
32
IP HEADER FORMAT
33
IP HEADER FORMAT
options
source
routing
route
recording
timestamping
security labels
34
35
SYN(X)
responder
SYN(Y), ACK(X)
ACK(Y)
36
3 way handshake
send
of service attack
Basis for IP spoofing attack
37
IP SPOOFING
Send
38
39
SMURF ATTACK
Send
40
ULTIMATE VULNERABILITY
IP packet carries no authentication of
source address
IP spoofing is possible
41
FIREWALLS
42
WHAT IS A FIREWALL?
internal
network
FIREWALL
external
Internet
43
WHAT IS A FIREWALL?
all
firewall
ULTIMATE FIREWALL
internal
network
Air
Gap
external
Internet
45
BENEFITS
secure
46
BASIC LIMITATIONS
connections
TYPES OF FIREWALLS
Packet
IP
filtering firewalls
layer
Application
gateway firewalls
Application
Circuit
TCP
layer
relay firewalls
layer
Combinations
Ravi Sandhu 2000-2004
of these
48
source
49
FILTERING ROUTERS
internal
network
packet
filtering
router
external
Internet
mail
gateway
i-nw-to-router
e-nw-to-router
router-to-i-nw
router-to-e-nw
50
context is kept
dynamic
keeps
(statefull) filtering
context
51
PACKET FILTERING
FIREWALLS
Should
52
FILTERING ROUTERS
internal
network 1
external
Internet
packet
filtering
router
internal
network 2
mail gateway
(internal network 3)
53
FILTERING HOST
internal
network
packet
filtering
firewall
host
external
router
external
Internet
54
APPLICATION GATEWAY
FIREWALLS
internal
network
application
gateway
firewall
host
external
router
external
Internet
SIMPLEST
CONFIGURATION
Ravi Sandhu 2000-2004
56
APPLICATION PROXIES
have
57
CLIENT-SIDE PROXIES
Internal-Client External-Server
allow
58
SERVER-SIDE PROXIES
External-Client Internal-Server
allow incoming telnet for access to
selected internal machines from selected
external users
requires some cryptographic protection to
thwart sniffing and IP spoofing
becoming increasingly important for
electronic commerce
VPN
remote access security
59
FIREWALL ARCHITECTURES
DUAL HOMED HOST
I
n
t
r
a
n
e
t
Router
Bastion Host
(Application
Gateway)
Bastion Host
(External
Service)
Router
I
n
t
e
r
n
e
t
60
FIREWALL ARCHITECTURES
SCREENED SUBNET
I
n
t
r
a
n
e
t
Router
Router
Packet Filter
Bastion Host
(External
Service)
I
n
t
e
r
n
e
t
61
INTRUSION DETECTION
62
RELATED TECHNOLOGIES
Intrusion
detection
Vulnerability assessment
Incident response
Honey pots
Sniffer probes
63
INTRUSION DETETCION
TECHNIQUES
default permit
default deny
specification-based detection
Combinations of these
64
INTRUSION DETECTION
DATA SOURCE
network-based
multiple
intrusion detection
sensor points
host-based
multi-host
intrusion detection
based
application-based
intrusion detection
combinations of these
65
ATTACKER
Outsider
easier
insider
harder
66
of use
transparency
67
INTRUSION DETECTION
CHALLENGES
False
alarm rate
Performance and scalability
68
69
70
1,000,000
diseased: 100
disease free: 999,900
false positive: 9,999
true positive: 99
Alices chance of disease:
99/(9,999+99) = 1/100
Ravi Sandhu 2000-2004
71
1,000,000
diseased: 100
disease free: 999,900
false positive: 99.99
true positive: 99.99
Alices chance of disease:
99.99/(99.99+99.99) = 1/2
Ravi Sandhu 2000-2004
72
NETWORK-BASED INTRUSION
DETECTION SIGNATURES
port
signatures
header signatures
string signatures
73
NETWORK-BASED INTRUSION
DETECTION ADVANTAGES
Complements
firewalls
broad visibility into network activity
no impact on network performance
transparent installation
74
NETWORK-BASED INTRUSION
DETECTION DISADVANTAGES
False
positives
miss new unknown attacks
scalability with high-speed networks
passive stance
emergence of switched Ethernet
75
HOST-BASED INTRUSION
DETECTION
example, tcp-wrapper
host-based agents
example, tripwire
76
INTRUSION DETECTION
STANDARDS
None
exist
ongoing efforts
CIDF:
77
INTRUSION DETECTION
Needs
78