You are on page 1of 77

UNIT5SYSTEMSECURITY

Intruder Intrusiondetectionsystem
Virusandrelatedthreats Countermeasures
FirewallsdesignprinciplesTrustedsystems
Practicalimplementationofcryptography
andsecurity

Slides CourtesyofWilliamStallings,Cryptography&NetworkSecurity,PearsonEducation,4thEdition

Chapter1Intruders

Intrusiondetectionsystem

Intruders

significantissuefornetworkedsystemsis
hostileorunwantedaccess
eithervianetworkorlocal
canidentifyclassesofintruders:
masquerader
misfeasor
clandestineuser

varyinglevelsofcompetence

Intruders

clearlyagrowingpublicizedproblem
fromWilyHackerin1986/87
toclearlyescalatingCERTstats

mayseembenign,butstillcostresources
mayusecompromisedsystemtolaunchother
attacks
awarenessofintrudershasledtothe
developmentofCERTs

IntrusionTechniques

aimtogainaccessand/orincreaseprivileges
onasystem
basicattackmethodology
targetacquisitionandinformationgathering
initialaccess
privilegeescalation
coveringtracks

keygoaloftenistoacquirepasswords
sothenexerciseaccessrightsofowner

PasswordGuessing
oneofthemostcommonattacks
attackerknowsalogin(fromemail/webpageetc)
thenattemptstoguesspasswordforit
defaults,shortpasswords,commonwordsearches
userinfo(variationsonnames,birthday,phone,common
words/interests)
exhaustivelysearchingallpossiblepasswords

checkbyloginoragainststolenpasswordfile
successdependsonpasswordchosenbyuser
surveysshowmanyuserschoosepoorly

PasswordCapture
anotherattackinvolvespasswordcapture
watchingovershoulderaspasswordisentered
usingatrojanhorseprogramtocollect
monitoringaninsecurenetworklogin
eg.telnet,FTP,web,email

extractingrecordedinfoaftersuccessfullogin(web
history/cache,lastnumberdialedetc)

usingvalidlogin/passwordcanimpersonateuser
usersneedtobeeducatedtousesuitable
precautions/countermeasures

IntrusionDetection

inevitablywillhavesecurityfailures
soneedalsotodetectintrusionssocan
blockifdetectedquickly
actasdeterrent
collectinfotoimprovesecurity

assumeintruderwillbehavedifferentlytoa
legitimateuser
butwillhaveimperfectdistinctionbetween

ApproachestoIntrusion
Detection
statisticalanomalydetection
threshold
profilebased

rulebaseddetection
anomaly
penetrationidentification

AuditRecords

fundamentaltoolforintrusiondetection
nativeauditrecords
partofallcommonmultiuserO/S
alreadypresentforuse
maynothaveinfowantedindesiredform

detectionspecificauditrecords
createdspecificallytocollectwantedinfo
atcostofadditionaloverheadonsystem

StatisticalAnomalyDetection

thresholddetection
countoccurrencesofspecificeventovertime
ifexceedreasonablevalueassumeintrusion
aloneisacrude&ineffectivedetector

profilebased
characterizepastbehaviorofusers
detectsignificantdeviationsfromthis
profileusuallymultiparameter

AuditRecordAnalysis

foundationofstatisticalapproaches
analyzerecordstogetmetricsovertime
counter,gauge,intervaltimer,resourceuse

usevarioustestsonthesetodetermineif
currentbehaviorisacceptable
mean&standarddeviation,multivariate,markov
process,timeseries,operational

keyadvantageisnopriorknowledgeused

RuleBasedIntrusionDetection

observeeventsonsystem&applyrulesto
decideifactivityissuspiciousornot
rulebasedanomalydetection
analyzehistoricalauditrecordstoidentifyusage
patterns&autogeneraterulesforthem
thenobservecurrentbehavior&matchagainst
rulestoseeifconforms
likestatisticalanomalydetectiondoesnotrequire
priorknowledgeofsecurityflaws

RuleBasedIntrusionDetection

rulebasedpenetrationidentification
usesexpertsystemstechnology
withrulesidentifyingknownpenetration,
weaknesspatterns,orsuspiciousbehavior
compareauditrecordsorstatesagainstrules
rulesusuallymachine&O/Sspecific
rulesaregeneratedbyexpertswhointerview&
codifyknowledgeofsecurityadmins
qualitydependsonhowwellthisisdone

BaseRateFallacy

practicallyanintrusiondetectionsystem
needstodetectasubstantialpercentageof
intrusionswithfewfalsealarms
iftoofewintrusionsdetected>falsesecurity
iftoomanyfalsealarms>ignore/wastetime

thisisveryhardtodo
existingsystemsseemnottohaveagood
record

DistributedIntrusionDetection

traditionalfocusisonsinglesystems
buttypicallyhavenetworkedsystems
moreeffectivedefensehastheseworking
togethertodetectintrusions
issues
dealingwithvaryingauditrecordformats
integrity&confidentialityofnetworkeddata
centralizedordecentralizedarchitecture

DistributedIntrusion
Detection Architecture

DistributedIntrusion
Detection Agent
Implementation

Honeypots

decoysystemstolureattackers
awayfromaccessingcriticalsystems
tocollectinformationoftheiractivities
toencourageattackertostayonsystemso
administratorcanrespond

arefilledwithfabricatedinformation
instrumentedtocollectdetailedinformation
onattackersactivities
singleormultiplenetworkedsystems
cfIETFIntrusionDetectionWGstandards

Summary

haveconsidered:
problemofintrusion
intrusiondetection(statistical&rulebased)
passwordmanagement

Chapter2VirusesandOther
MaliciousContent

Virusandrelatedthreats Countermeasures

VirusesandOther
MaliciousContent
computerviruseshavegotalotofpublicity
oneofafamilyofmalicioussoftware
effectsusuallyobvious
havefiguredinnewsreports,fiction,movies
(oftenexaggerated)
gettingmoreattentionthandeserve
areaconcernthough

MaliciousSoftware

BackdoororTrapdoor

secretentrypointintoaprogram
allowsthosewhoknowaccessbypassingusual
securityprocedures
havebeencommonlyusedbydevelopers
athreatwhenleftinproductionprograms
allowingexploitedbyattackers
veryhardtoblockinO/S
requiresgoods/wdevelopment&update

LogicBomb

oneofoldesttypesofmalicioussoftware
codeembeddedinlegitimateprogram
activatedwhenspecifiedconditionsmet
egpresence/absenceofsomefile
particulardate/time
particularuser

whentriggeredtypicallydamagesystem
modify/deletefiles/disks,haltmachine,etc

TrojanHorse
programwithhiddensideeffects
whichisusuallysuperficiallyattractive
eggame,s/wupgradeetc

whenrunperformssomeadditionaltasks
allowsattackertoindirectlygainaccesstheydonothave
directly

oftenusedtopropagateavirus/wormorinstalla
backdoor
orsimplytodestroydata

Zombie

programwhichsecretlytakesoveranother
networkedcomputer
thenusesittoindirectlylaunchattacks
oftenusedtolaunchdistributeddenialof
service(DDoS)attacks
exploitsknownflawsinnetworksystems

Viruses

apieceofselfreplicatingcodeattachedto
someothercode
cfbiologicalvirus

bothpropagatesitself&carriesapayload
carriescodetomakecopiesofitself
aswellascodetoperformsomecoverttask

VirusOperation

virusphases:
dormant waitingontriggerevent
propagation replicatingtoprograms/disks
triggering byeventtoexecutepayload
execution ofpayload

detailsusuallymachine/OSspecific
exploitingfeatures/weaknesses

VirusStructure
programV:=
{gotomain;
1234567;
subroutineinfectexecutable:= {loop:
file:=getrandomexecutablefile;
if(firstlineoffile=1234567)thengotoloop
elseprependVtofile;}
subroutinedodamage:={whateverdamageistobedone}
subroutinetriggerpulled:={returntrueifconditionholds}
main:mainprogram:=
{infectexecutable;
iftriggerpulledthendodamage;
gotonext;}
next:
}

TypesofViruses

canclassifyonbasisofhowtheyattack
parasiticvirus
memoryresidentvirus
bootsectorvirus
stealth
polymorphicvirus
metamorphicvirus

MacroVirus
macrocode attachedtosomedatafile
interpretedbyprogramusingfile
egWord/Excelmacros
esp.usingautocommand&commandmacros

codeisnowplatformindependent
isamajorsourceofnewviralinfections
blurdistinctionbetweendataandprogramfiles
classictradeoff:"easeofuse"vs"security
haveimprovingsecurityinWordetc
arenolongerdominantvirusthreat

EmailVirus

spreadusingemailwithattachment
containingamacrovirus
cfMelissa

triggeredwhenuseropensattachment
orworseevenwhenmailviewedbyusing
scriptingfeaturesinmailagent
hencepropagateveryquickly
usuallytargetedatMicrosoftOutlookmail
agent&Word/Exceldocuments
needbetterO/S&applicationsecurity

Worms
replicatingbutnotinfectingprogram
typicallyspreadsoveranetwork
cfMorrisInternetWormin1988
ledtocreationofCERTs

usingusersdistributedprivilegesorbyexploiting
systemvulnerabilities
widelyusedbyhackerstocreatezombiePC's,
subsequentlyusedforfurtherattacks,espDoS
majorissueislackofsecurityofpermanently
connectedsystems,espPC's

WormOperation

wormphaseslikethoseofviruses:
dormant
propagation
searchforothersystemstoinfect
establishconnectiontotargetremotesystem
replicateselfontoremotesystem

triggering
execution

MorrisWorm

bestknownclassicworm
releasedbyRobertMorrisin1988
targetedUnixsystems
usingseveralpropagationtechniques
simplepasswordcrackingoflocalpwfile
exploitbuginfingerdaemon
exploitdebugtrapdoorinsendmaildaemon

ifanyattacksucceedsthenreplicatedself

RecentWormAttacks

newspateofattacksfrommid2001
CodeRed usedMSIISbug
probesrandomIPsforsystemsrunningIIS
hadtriggertimefordenialofserviceattack
2nd waveinfected360000serversin14hours

CodeRed2 installedbackdoor
Nimda multipleinfectionmechanisms
SQLSlammer attackedMSSQLserver
Sobig.f attackedopenproxyservers
Mydoom massemailworm+backdoor

WormTechology

multiplatform
multiexploit
ultrafastspreading
polymorphic
metamorphic
transportvehicles
zerodayexploit

VirusCountermeasures

bestcountermeasureisprevention
butingeneralnotpossible
henceneedtodooneormoreof:
detection ofvirusesininfectedsystem
identification ofspecificinfectingvirus
removeal restoringsystemtocleanstate

AntiVirusSoftware
firstgeneration
scannerusesvirussignaturetoidentifyvirus
orchangeinlengthofprograms

secondgeneration
usesheuristicrulestospotviralinfection
orusescryptohashofprogramtospotchanges

thirdgeneration
memoryresidentprogramsidentifyvirusbyactions

fourthgeneration
packageswithavarietyofantivirustechniques
egscanning&activitytraps,accesscontrols

armsracecontinues

AdvancedAntiVirus
Techniques
genericdecryption
useCPUsimulatortocheckprogramsignature&
behaviorbeforeactuallyrunningit

digitalimmunesystem(IBM)
generalpurposeemulation&virusdetection
anyvirusenteringorgiscaptured,analyzed,
detection/shieldingcreatedforit,removed

DigitalImmuneSystem

BehaviorBlockingSoftware

integratedwithhostO/S
monitorsprogrambehaviorinrealtime
egfileaccess,diskformat,executablemods,
systemsettingschanges,networkaccess

forpossiblymaliciousactions
ifdetectedcanblock,terminate,orseekok

hasadvantageoverscanners
butmaliciouscoderunsbeforedetection

DistributedDenialofServiceAttacks(DDoS)

DistributedDenialofService(DDoS)attacks
formasignificantsecuritythreat
makingnetworkedsystemsunavailable
byfloodingwithuselesstraffic
usinglargenumbersofzombies
growingsophisticationofattacks
defensetechnologiesstrugglingtocope

DistributedDenialofService
Attacks(DDoS)

ContructingtheDDoSAttackNetwork

1.
2.
3.

mustinfectlargenumberofzombies
needs:
softwaretoimplementtheDDoSattack
anunpatchedvulnerabilityonmanysystems
scanningstrategytofindvulnerablesystems

random,hitlist,topological,localsubnet

DDoSCountermeasures

threebroadlinesofdefense:
1. attackprevention&preemption(before)
2. attackdetection&filtering(during)
3. attacksourcetraceback&ident(after)

hugerangeofattackpossibilities
henceevolvingcountermeasures

Summary

haveconsidered:
variousmaliciousprograms
trapdoor,logicbomb,trojanhorse,zombie
viruses
worms
countermeasures
distributeddenialofserviceattacks

Chapter3Firewalls

Introduction

seenevolutionofinformationsystems
noweveryonewanttobeontheInternet
andtointerconnectnetworks
haspersistentsecurityconcerns
canteasilysecureeverysysteminorg

typicallyuseaFirewall
toprovideperimeterdefence
aspartofcomprehensivesecuritystrategy

WhatisaFirewall?

achokepoint ofcontrolandmonitoring
interconnectsnetworkswithdifferingtrust
imposesrestrictionsonnetworkservices
onlyauthorizedtrafficisallowed

auditingandcontrollingaccess
canimplementalarmsforabnormalbehavior

provideNAT&usagemonitoring
implementVPNsusingIPSec
mustbeimmunetopenetration

FirewallLimitations

cannotprotectfromattacksbypassingit
egsneakernet,utilitymodems,trusted
organisations,trustedservices(egSSL/SSH)

cannotprotectagainstinternalthreats
egdisgruntledorcolludingemployees

cannotprotectagainsttransferofallvirus
infectedprogramsorfiles
becauseofhugerangeofO/S&filetypes

Firewalls PacketFilters

simplest,fastestfirewallcomponent
foundationofanyfirewallsystem
examineeachIPpacket(nocontext)and
permitordenyaccordingtorules
hencerestrictaccesstoservices(ports)
possibledefaultpolicies
thatnotexpresslypermittedisprohibited
thatnotexpresslyprohibitedispermitted

Firewalls PacketFilters

Firewalls PacketFilters

AttacksonPacketFilters

IPaddressspoofing
fakesourceaddresstobetrusted
addfiltersonroutertoblock

sourceroutingattacks
attackersetsarouteotherthandefault
blocksourceroutedpackets

tinyfragmentattacks
splitheaderinfooverseveraltinypackets
eitherdiscardorreassemblebeforecheck

Firewalls Stateful
PacketFilters
traditionalpacketfiltersdonotexamine
higherlayercontext
iematchingreturnpacketswithoutgoingflow

statefulpacketfiltersaddressthisneed
theyexamineeachIPpacketincontext
keeptrackofclientserversessions
checkeachpacketvalidlybelongstoone

hencearebetterabletodetectboguspackets
outofcontext

Firewalls Application
LevelGateway(orProxy)
haveapplicationspecificgateway/proxy
hasfullaccesstoprotocol
userrequestsservicefromproxy
proxyvalidatesrequestaslegal
thenactionsrequestandreturnsresulttouser
canlog/audittrafficatapplicationlevel

needseparateproxiesforeachservice
someservicesnaturallysupportproxying
othersaremoreproblematic

Firewalls Application
LevelGateway(orProxy)

Firewalls CircuitLevel
Gateway
relaystwoTCPconnections
imposessecuritybylimitingwhichsuch
connectionsareallowed
oncecreatedusuallyrelaystrafficwithout
examiningcontents
typicallyusedwhentrustinternalusersby
allowinggeneraloutboundconnections
SOCKSiscommonlyused

Firewalls CircuitLevel
Gateway

BastionHost

highlysecurehostsystem
runscircuit/applicationlevelgateways
orprovidesexternallyaccessibleservices
potentiallyexposedto"hostile"elements
henceissecuredtowithstandthis
hardenedO/S,essentialservices,extraauth
proxiessmall,secure,independent,nonprivileged

maysupport2ormorenetconnections
maybetrustedtoenforcepolicyoftrusted
separationbetweenthesenetconnections

FirewallConfigurations

FirewallConfigurations

FirewallConfigurations

AccessControl

givensystemhasidentifiedauser
determinewhatresourcestheycanaccess
generalmodelisthatofaccessmatrixwith
subject activeentity(user,process)
object passiveentity(fileorresource)
accessright wayobjectcanbeaccessed

candecomposeby
columnsasaccesscontrollists
rowsascapabilitytickets

AccessControlMatrix

TrustedComputerSystems
informationsecurityisincreasinglyimportant
havevaryingdegreesofsensitivityofinformation
cfmilitaryinfoclassifications:confidential,secretetc

subjects(peopleorprograms)havevaryingrightsof
accesstoobjects(information)
knownasmultilevelsecurity
subjectshavemaximum &current securitylevel
objectshaveafixedsecuritylevelclassification

wanttoconsiderwaysofincreasingconfidencein
systemstoenforcetheserights

BellLaPadula(BLP)Model

oneofthemostfamoussecuritymodels
implementedasmandatorypoliciesonsystem
hastwokeypolicies:
noreadup (simplesecurityproperty)
asubjectcanonlyread/writeanobjectifthecurrent
securitylevelofthesubjectdominates(>=)the
classificationoftheobject

nowritedown (*property)
asubjectcanonlyappend/writetoanobjectifthecurrent
securitylevelofthesubjectisdominatedby(<=)the
classificationoftheobject

ReferenceMonitor

EvaluatedComputerSystems

governmentscanevaluateITsystems
againstarangeofstandards:
TCSEC,IPSECandnowCommonCriteria

defineanumberoflevelsofevaluationwith
increasinglystringentchecking
havepublishedlistsofevaluatedproducts
thoughaimedatgovernment/defenseuse
canbeusefulinindustryalso

CommonCriteria
internationalinitiativespecifyingsecurity
requirements&definingevaluationcriteria
incorporatesearlierstandards
egCSEC, ITSEC, CTCPEC (Canadian), Federal (US)

specifies standards for


evaluation criteria
methodology for application of criteria
administrative procedures for evaluation, certification
and accreditation schemes

CommonCriteria

defines setofsecurityrequirements
haveaTargetOfEvaluation(TOE)
requirementsfallintwocategories
functional
assurance

bothorganisedinclassesoffamilies&
components

CommonCriteriaRequirements

Functional Requirements
security audit, crypto support, communications,
user data protection, identification &
authentication, security management, privacy,
protection of trusted security functions,
resource utilization, TOE access, trusted path

Assurance Requirements
configurationmanagement,delivery&operation,
development,guidancedocuments,lifecycle
support,tests,vulnerabilityassessment,assurance
maintenance

CommonCriteria

CommonCriteria

Summary

haveconsidered:
firewalls
typesoffirewalls
configurations
accesscontrol
trustedsystems
commoncriteria