Network Security

Justin Weisz
jweisz@andrew.cmu.edu

15-441 Networks Fall 2002

1

Overview

What is security?  Why do we need security?  Who is vulnerable?  Common security attacks and countermeasures
– – – – – Firewalls & Intrusion Detection Systems Denial of Service Attacks TCP Attacks Packet Sniffing Social Problems
3

15-441 Networks Fall 2002

What is “Security”

Dictionary.com says:
– 1. Freedom from risk or danger; safety. – 2. Freedom from doubt, anxiety, or fear; confidence. – 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building security if a visitor acts suspicious. • 2. Measures adopted by a government to prevent espionage, sabotage, or attack. • 3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.

…etc.
15-441 Networks Fall 2002 4

What is “Security”

Dictionary.com says:
– 1. Freedom from risk or danger; safety. – 2. Freedom from doubt, anxiety, or fear; confidence. – 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building security if a visitor acts suspicious. • 2. Measures adopted by a government to prevent espionage, sabotage, or attack. • 3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.

…etc.
15-441 Networks Fall 2002 5

What is “Security”

Dictionary.com says:
– 1. Freedom from risk or danger; safety. – 2. Freedom from doubt, anxiety, or fear; confidence. – 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building security if a visitor acts suspicious. • 2. Measures adopted by a government to prevent espionage, sabotage, or attack. • 3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.

…etc.
15-441 Networks Fall 2002 6

• 2. • 3. as: • 1. as by a business or homeowner. – 2. safety. – 3. to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant. Something that gives or assures safety. Freedom from doubt. anxiety. or fear. Measures adopted by a government to prevent espionage. 15-441 Networks Fall 2002 7 .com says: – 1. A group or department of private guards: Call building security if a visitor acts suspicious. …etc. sabotage. or attack. Freedom from risk or danger. Measures adopted.What is “Security”  Dictionary. confidence.

 Provide authentication and access control for resources – Ex: AFS  Guarantee availability of resources – Ex: 5 9’s (99.999% reliability) 15-441 Networks Fall 2002 8 . medical records.Why do we need security?  Protect vital information while still allowing access to those who need it – Trade secrets. etc.

Who is vulnerable? Financial institutions and banks  Internet service providers  Pharmaceutical companies  Government and defense agencies  Contractors to various government agencies  Multinational corporations  ANYONE ON THE NETWORK  15-441 Networks Fall 2002 9 .

buffer overflows – Intrusion Detection Systems Denial of Service – Ingress filtering. SSL.Common security attacks and their countermeasures       Finding a way into the network – Firewalls Exploiting software bugs. HTTPS) Social problems – Education 10 15-441 Networks Fall 2002 . IDS TCP hijacking – IPSec Packet sniffing – Encryption (SSH.

Firewalls  Basic problem – many network applications and protocols have security problems that are fixed over time – Difficult for users to keep up with changes and keep host secure – Solution • Administrators limit access to end hosts by using a firewall • Firewall is kept up-to-date by administrators 15-441 Networks Fall 2002 11 .

Windows XP and Mac OS X have built in firewalls 15-441 Networks Fall 2002 12 . ipchains. Some routers come with firewall functionality – ipfw. pf on Unix systems.Firewalls  A firewall is like a castle with a drawbridge – Only one point of access into the network – This can be good or bad  Can be hardware or software – Ex.

email server.Firewalls Internet DMZ Web server. etc Firewall 15-441 Networks Fall 2002 Firewall Intranet 13 . web proxy.

but they will not be discussed – Ex. Drop packets with destination port of 23 (Telnet) – Can use any combination of IP/UDP/TCP header information – man ipfw on unix47 for much more detail  But why don’t we just turn Telnet off? 14 15-441 Networks Fall 2002 .Firewalls  Used to filter packets based on a combination of features – These are called packet filtering firewalls • There are other types too.

or might not be able to control all the machines on the network 15 15-441 Networks Fall 2002 .Firewalls  Here is what a computer with a default Windows XP install looks like: – – – – – – 135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 3389/tcp open ms-term-serv 5000/tcp open UPnP  Might need some of these services.

Firewalls   What does a firewall rule look like? – Depends on the firewall used Example: ipfw – /sbin/ipfw add deny tcp from cracker.org to wolf.tambov.evil.su telnet  Other examples: WinXP & Mac OS X have built in and third party firewalls – Different graphical user interfaces – Varying amounts of complexity and power 15-441 Networks Fall 2002 16 .

www. like buffer overflows  Open Source IDS: Snort.org 15-441 Networks Fall 2002 17 .Intrusion Detection  Used to monitor for “suspicious activity” on a network – Can protect against known software exploits.snort.

etc.cat%20/etc/passwd”  However. web server indexing. OS fingerprinting.cgi – Can make a rule to drop packets containing the line • “/cgi-bin/webdist.Intrusion Detection  Uses “intrusion signatures” – Well known patterns of behavior • Ping sweeps. DoS attempts.  Example – IRIX vulnerability in webdist.cgi?distloc=?. port scanning. IDS is only useful if contingency plans are in place to curb attacks as they are occurring 18 15-441 Networks Fall 2002 .

Minor Detour… Say we got the /etc/passwd file from the IRIX server  What can we do with it?  15-441 Networks Fall 2002 19 .

and compare with the hashed passwords  This is why your passwords should be meaningless random junk! – For example.Dictionary Attack  We can run a dictionary attack on the passwords – The passwords in /etc/passwd are encrypted with the crypt(3) function (one-way hash) – Can take a dictionary of words. crypt() them all. “sdfo839f” is a good password • That is not my andrew password • Please don’t try it either 15-441 Networks Fall 2002 20 .

Denial of Service Purpose: Make a network service unusable. usually by overloading the server or network  Many different kinds of DoS attacks  – SYN flooding – SMURF – Distributed attacks – Mini Case Study: Code-Red 15-441 Networks Fall 2002 21 .

Denial of Service  SYN flooding attack  Send SYN packets with bogus source address – Why?  Server responds with SYN ACK and keeps state about TCP half-open connection – Eventually. create a special “cookie” for the connection. and forget everything else – Then. server memory is exhausted with this state  Solution: use “SYN cookies” – In response to a SYN. can recreate the forgotten information when the ACK comes in from a legitimate connection 15-441 Networks Fall 2002 22 .

Denial of Service 15-441 Networks Fall 2002 23 .

Denial of Service  SMURF – Source IP address of a broadcast ping is forged – Large number of machines respond back to victim. overloading it 15-441 Networks Fall 2002 24 .

Denial of Service ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet Perpetrator Victim 15-441 Networks Fall 2002 25 .

htm 15-441 Networks Fall 2002 26 .71.71.193 -l 65500 -n 10000 – Sends 10.exe 207.com/dos/grcdos.000 64k packets to the host (655MB!) • Read more at: http://grc.Denial of Service  Distributed Denial of Service – Same techniques as regular DoS.92.92. but on a much larger scale – Example: Sub7Server Trojan and IRC bots • Infect a large number of machines with a “zombie” program • Zombie program logs into an IRC channel and awaits commands • Example: – Bot command: !p4 207.193 – Result: runs ping.

2001: over 359.Denial of Service  Mini Case Study – CodeRed – July 19.6 billion 15-441 Networks Fall 2002 27 .000 computers infected with Code-Red in less than 14 hours – Used a recently known buffer exploit in Microsoft IIS – Damages estimated in excess of $2.

Denial of Service  Why is this under the Denial of Service category? – CodeRed launched a DDOS attack against www1.whitehouse.gov from the 20th to the 28th of every month! – Spent the rest of its time infecting other hosts 15-441 Networks Fall 2002 28 .

then drop it • RFC 2267 has more information about this – Stay on top of CERT advisories and the latest security patches • A fix for the IIS buffer overflow was released sixteen days before CodeRed had been deployed! 15-441 Networks Fall 2002 29 .Denial of Service  How can we protect ourselves? – Ingress filtering • If the source IP of a packet comes in on an interface which does not have a route to that packet.

TCP Attacks  Recall how IP works… – End hosts create IP packets and routers process them purely based on destination address alone  Problem: End hosts may lie about other fields which do not affect delivery – Source address – host may trick destination into believing that the packet is from a trusted source • Especially applications which use IP addresses as a simple authentication method • Solution – use better authentication methods 15-441 Networks Fall 2002 30 .

TCP Attacks   TCP connections have associated state – Starting sequence numbers. port numbers Problem – what if an attacker learns these values? – Port numbers are sometimes well known to begin with (ex. HTTP uses port 80) – Sequence numbers are sometimes chosen in very predictable ways 15-441 Networks Fall 2002 31 .

Instead of downloading and running new program. then the connection can be hijacked!  Attacker can insert malicious data into the TCP stream. you download a virus and execute it 15-441 Networks Fall 2002 32 .TCP Attacks If an attacker learns the associated TCP state for the connection. and the recipient will believe it came from the original source  – Ex.

Big Ears 15-441 Networks Fall 2002 33 .TCP Attacks  Say hello to Alice. Bob and Mr.

TCP Attacks  Alice and Bob have an established TCP connection 15-441 Networks Fall 2002 34 .

Big Ears lies on the path between Alice and Bob on the network – He can intercept all of their packets 15-441 Networks Fall 2002 35 .TCP Attacks  Mr.

Big Ears must drop all of Alice’s packets since they must not be delivered to Bob (why?) Packets The Void 15-441 Networks Fall 2002 36 .TCP Attacks  First. Mr.

TCP Attacks  Then. Big Ears sends his malicious packet with the next ISN (Initial Sequence Number) (sniffed from the network) ISN. Mr. SRC=Alice 15-441 Networks Fall 2002 37 .

TCP Attacks  What if Mr. Big Ears is unable to sniff the packets between Alice and Bob? – Can just DoS Alice instead of dropping her packets – Can just send guesses of what the ISN is until it is accepted 15-441 Networks Fall 2002 38 .

TCP Attacks  Why are these types of TCP attacks so dangerous? Web server Trusting web client 15-441 Networks Fall 2002 Malicious user 39 .

so Mr. Big Ears cannot talk to Bob without knowing what the session key is 15-441 Networks Fall 2002 40 . Big Ears cannot pretend to be Alice – Encrypts data before transport.TCP Attacks How do we prevent this?  IPSec  – Provides source authentication. so Mr.

Packet Sniffing Recall how Ethernet works …  When someone wants to send a packet to some else …  They put the bits on the wire with the destination MAC address …  And remember that other hosts are listening on the wire to detect for collisions …  It couldn’t get any easier to figure out what data is being transmitted over the network!  15-441 Networks Fall 2002 42 .

Packet Sniffing This works for wireless too!  In fact. it works for any broadcast-based medium  15-441 Networks Fall 2002 43 .

Packet Sniffing What kinds of data can we get?  Asked another way. what kind of information would be most useful to a malicious user?  Answer: Anything in plain text  – Passwords are the most popular 15-441 Networks Fall 2002 44 .

not FTP – Unless you really don’t care about the password or data – Can also use KerbFTP (download from MyAndrew)  IPSec – Provides network-layer confidentiality 15-441 Networks Fall 2002 45 .Packet Sniffing  How can we protect ourselves?  SSH. not Telnet  HTTP over SSL – Especially when making purchases with credit cards!  SFTP.

unless they have been specially trained • Think government here… 15-441 Networks Fall 2002 46 . to give up valuable information – Most humans will breakdown once they are at the “harmed” stage. threatened. manipulated. etc. tortured. bribed.Social Problems  People can be just as dangerous as unprotected computer systems – People can be lied to. harmed.

I need you to punch a bunch of buttons for me” 15-441 Networks Fall 2002 47 . I’m your AT&T rep.Social Problems  Fun Example 1: – “Hi. I’m stuck on a pole.

we have a call that’s actually active right now. it’s on your calling card and it’s to Egypt and as a matter of fact.Social Problems  Fun Example 2: – Someone calls you in the middle of the night • “Have you been calling Egypt for the last six hours?” • “No” • “Well. you’ve got about $2000 worth of charges on your card and … read off your AT&T card number and PIN and then I’ll get rid of the charge for you” 15-441 Networks Fall 2002 48 .

the three disgruntled employees installed a money-stealing worm onto the companies systems – They did this from inside the company. where they had full access to the companies systems • What security techniques can we use to prevent this type of access? 15-441 Networks Fall 2002 49 .Social Problems  Fun Example 3: – Who saw Office Space? – In the movie.

this solution is still not perfect 15-441 Networks Fall 2002 50 . but.Social Problems  There aren’t always solutions to all of these problems – Humans will continue to be tricked into giving out information they shouldn’t – Educating them may help a little here. depending on how bad you want the information. the best that can be done is to implement a wide variety of solutions and more closely monitor who has access to what network resources and information – But. there are a lot of bad things you can do to get it  So.

Conclusions The Internet works only because we implicitly trust one another  It is very easy to exploit this trust  The same holds true for software  It is important to stay on top of the latest CERT security advisories to know how to patch any security holes  15-441 Networks Fall 2002 51 .

com/pubs/networkintrusion-detection.securityfocus.org/  http://grc.snort.org/  http://www.com/infocus/1527  http://www.Security related URLs http://www.htm  http://lcamtuf.cert.coredump.robertgraham.nmap.org/  http://www.com/dos/grcdos.cx/newtcp/  15-441 Networks Fall 2002 52 .html  http://online.

/408349.0 .8700./.3/90.0.3057490.74:90949.94:780.   ..95.0!41..09.08 3708819073 W 19084:7..9./-003/0540/  09478.-4:998 $9.8247031472.0714..08 W 114790$-:11074.0 4.9089 80.09 903/745 9 W #..5.80/89003 /.8-01470 4/0#0/..943.84708.4394541#%.03.4208343.41$07.:795.339071.

.97.4!478 3/4898.8 #0....//7088.-4:9490710/8 ..088 9025:70-.90!5.110.55.8.07 $4:7.098.:9039..9438.:80!.9905.0.3/74:9078574.97:890/84:7./0893.//708808.0.70.0 W 850.943394 -00.430 !74-023/48982.%!99.:9039.943.//7088 4892.39./4349.9432094/ W $4:943 :80-09907..0981742. 8250.   ..9/0.80/43/0893..9432094/8  09478.

03:2-078 54793:2-078 !74-02 .0.90 $9..4330.99.793806:03.7389080 .7084209208034394-03 9 0 %%!:8085479 $06:03.48033 ...070.:08 !4793:2-078..07570/.9438.91.9.90/89.8 %!.8  09478.%!99.   .3.03:2-078..7084209208.884.-0.

0  3890.90/%! 89.09 .:909  09478./3.5039-00./.9.884.   .73890.7:8.4330.0/ 99.3/9070.3/00.3-0..070./41/434.20174290473.943 90390..9014790..943 .99.2 ..3.84:7.39490 %!8970..%!99..8 1.2 4:/434..07.3/7:33330 5747.4330....4:8/.3380792.

0 4-.8 $..3/7 .78  09478.   .0494.%!99.

0.-80/%! .8 .0.4330..943  09478.   .3089..3/4-.%!99.

33907.780843905...9-09003.8 7 .059.   .419075..098  09478.%!99.3/4-439030947 0.0 .

0902:89349-0/0..8 789 7 .0 8 5.782:89/745.41.   ...070/94 4-  !.09883.%!99.098 %0'4/  09478.

8 %03 7 ..78803/882..0  09478.$06:03.0 :2-07 83110/17429030947 $ $#.   .4:8 5.%!99.09990309$ 39..

0.0590/  09478.-094831190 5./41/7455307 5.917 .   ..788:3...098-09003.098 ..3:894$.8 .03890..3/4- .3:89803/:0880841.990$8:399 8.%!99.

99.%!99..07 %7:8930-.8 .3074:8 0-807.039  09478.4:8:807  .884 /.  .709080950841%!...

%!99.385479 847 .78 ./0884:7.9.33499. !74.0.943 847 ..:9039.7598/..990 80884308  09478.3349570903/94-0.8 4/40570..03998 !$0.   ..0 3.-0147097.78 .944-94:9343.

425090:370.90/94980.   .03:9070.9:70  09478. 474:70342039 0708842093 ..

   .9.5..7089033 43907094/090.9 /.0994 8420080 %05:990-98439070990 /0893.4907309478 038420430.30.!.48438 9.943.079030947  09478.949074898.39894803/..382990/4.4:/3 909..09$3113 #0.8-0397.//7088 3/70202-079.807941:704:9.9147.

.80/ 20/:2  09478./.89 -.09$3113 %847814770088944 31..!..3-74.   .9 9478147.

2.09$3113 ..7  09478.   .93/4131472.. .8847/8.70902489545:.93/841/..3009 80/.9.3909 !.943 4:/-02489:801:94..!.4:8:807 380739335.34907.

84:8007-%! /434..032.3. /43 9.70/9.70. !74...-4:9905.431/039.9.   ..94:780..8089./0830947 ./17423/70 !$0.07$$ 850.09$3113 4..07.!.08 $$ 349%0309 %%!4.3057490.8847/47/. .7/8 $%! 349%! &30884:70.35:7.9  09478.

9030/ .-031472.70.90/.30/ W %34.425:907889028 !0450.0732039070  09478./4343.8/.!74-028 !0450..:...3074:8.720/ 9479:70/ 09. 94..$4.97.38-70..   .0:5 .3-00/94 2.90/ -7-0/  970.720/ 89.8 :357490.090.0 :308890.943 489:2..35:.3-0:89.9 90 .0-003 850.

   .540  300/4:945:3.$4.41-:9943814720  09478.!74-028 :3..250   24:7% %705  289:..-:3.43.

/4114:7% %.7/...9 8...3/9 89459.$4.708434:7.9:...!74-028 :3.250 $420430.35914790.8984:78 W 4 W 0 0.049.7/...7/ 3:2-07.70147 4:  09478.9 4: .8.84:3902//0419039 W ..04:-003.07934  9 8434:7.3/..3..0.3/!..3/ 70...9.-4:9 47941 .9907411. 2.3/903 097/4190..9..   ..

/1:.!74-028 :3..308889028 %0//98174238/0 90.3472439490 .0$5.0/.   ..425..250 48.3 070 90..088 9490.980.2430 890.. 11..:7990.088  09478.425..0 39024.$4.36:08.308889028 W .03998 95041.30:8094570.425.0 909700/87:390/0254008 389.

/9384:.884:943894.4802439474.990070 -:9 /0503/3434-.4393:094-097.05.08./ 4:..3/494 099 $4 90-0899.8..419080574-028 :2.939022.   .34:931472..9309477084:7.399031472.$4...4941-.70.3/31472.943 :9 9884:94388934950710.3/2470.943 9070.703 9..9  09478.0/394.94390 84:/3 9 /:.9./0.38...3-0/4308942502039.08894 .709 4184:9438.!74-028 %070.

9 97:89430.204/897:01478419.34907 98..:79.43.:79408  09478.9.380.847089434494 5.:8438 %0390730947843-0.9089 #%80.:80025.89405499897:89 %08.399489.   ../.439454190.070.70 9825479.

$0.90/&#8 995.:7970.

.

. 74-0797.2 .42.

5:-8.

30947 397:843 /090.943 92 995.

.

4330 80.42.:7914.:8 .

314.:8.

 995.

.

 83479 47.

995.

.

079 47. .

995.

.

5 47. 32.

995.

.

42. .7.

/48.

/48 92 995.7.

.

..29:1 ..470/:25 .

309.5.

   .  09478.

Sign up to vote on this title
UsefulNot useful