Network Security

Justin Weisz
jweisz@andrew.cmu.edu

15-441 Networks Fall 2002

1

Overview

What is security?  Why do we need security?  Who is vulnerable?  Common security attacks and countermeasures
– – – – – Firewalls & Intrusion Detection Systems Denial of Service Attacks TCP Attacks Packet Sniffing Social Problems
3

15-441 Networks Fall 2002

What is “Security”

Dictionary.com says:
– 1. Freedom from risk or danger; safety. – 2. Freedom from doubt, anxiety, or fear; confidence. – 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building security if a visitor acts suspicious. • 2. Measures adopted by a government to prevent espionage, sabotage, or attack. • 3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.

…etc.
15-441 Networks Fall 2002 4

What is “Security”

Dictionary.com says:
– 1. Freedom from risk or danger; safety. – 2. Freedom from doubt, anxiety, or fear; confidence. – 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building security if a visitor acts suspicious. • 2. Measures adopted by a government to prevent espionage, sabotage, or attack. • 3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.

…etc.
15-441 Networks Fall 2002 5

What is “Security”

Dictionary.com says:
– 1. Freedom from risk or danger; safety. – 2. Freedom from doubt, anxiety, or fear; confidence. – 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building security if a visitor acts suspicious. • 2. Measures adopted by a government to prevent espionage, sabotage, or attack. • 3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.

…etc.
15-441 Networks Fall 2002 6

confidence. Freedom from risk or danger. …etc. sabotage. – 3. anxiety. to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant. A group or department of private guards: Call building security if a visitor acts suspicious. Freedom from doubt. Measures adopted by a government to prevent espionage. Measures adopted. • 2. as by a business or homeowner. or fear. safety.What is “Security”  Dictionary. 15-441 Networks Fall 2002 7 . as: • 1. or attack. Something that gives or assures safety.com says: – 1. – 2. • 3.

 Provide authentication and access control for resources – Ex: AFS  Guarantee availability of resources – Ex: 5 9’s (99.999% reliability) 15-441 Networks Fall 2002 8 . etc. medical records.Why do we need security?  Protect vital information while still allowing access to those who need it – Trade secrets.

Who is vulnerable? Financial institutions and banks  Internet service providers  Pharmaceutical companies  Government and defense agencies  Contractors to various government agencies  Multinational corporations  ANYONE ON THE NETWORK  15-441 Networks Fall 2002 9 .

Common security attacks and their countermeasures       Finding a way into the network – Firewalls Exploiting software bugs. SSL. IDS TCP hijacking – IPSec Packet sniffing – Encryption (SSH. buffer overflows – Intrusion Detection Systems Denial of Service – Ingress filtering. HTTPS) Social problems – Education 10 15-441 Networks Fall 2002 .

Firewalls  Basic problem – many network applications and protocols have security problems that are fixed over time – Difficult for users to keep up with changes and keep host secure – Solution • Administrators limit access to end hosts by using a firewall • Firewall is kept up-to-date by administrators 15-441 Networks Fall 2002 11 .

Firewalls  A firewall is like a castle with a drawbridge – Only one point of access into the network – This can be good or bad  Can be hardware or software – Ex. pf on Unix systems. Windows XP and Mac OS X have built in firewalls 15-441 Networks Fall 2002 12 . ipchains. Some routers come with firewall functionality – ipfw.

etc Firewall 15-441 Networks Fall 2002 Firewall Intranet 13 . web proxy. email server.Firewalls Internet DMZ Web server.

Firewalls  Used to filter packets based on a combination of features – These are called packet filtering firewalls • There are other types too. Drop packets with destination port of 23 (Telnet) – Can use any combination of IP/UDP/TCP header information – man ipfw on unix47 for much more detail  But why don’t we just turn Telnet off? 14 15-441 Networks Fall 2002 . but they will not be discussed – Ex.

or might not be able to control all the machines on the network 15 15-441 Networks Fall 2002 .Firewalls  Here is what a computer with a default Windows XP install looks like: – – – – – – 135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 3389/tcp open ms-term-serv 5000/tcp open UPnP  Might need some of these services.

su telnet  Other examples: WinXP & Mac OS X have built in and third party firewalls – Different graphical user interfaces – Varying amounts of complexity and power 15-441 Networks Fall 2002 16 .org to wolf.tambov.Firewalls   What does a firewall rule look like? – Depends on the firewall used Example: ipfw – /sbin/ipfw add deny tcp from cracker.evil.

org 15-441 Networks Fall 2002 17 . www.snort.Intrusion Detection  Used to monitor for “suspicious activity” on a network – Can protect against known software exploits. like buffer overflows  Open Source IDS: Snort.

Intrusion Detection  Uses “intrusion signatures” – Well known patterns of behavior • Ping sweeps.cgi – Can make a rule to drop packets containing the line • “/cgi-bin/webdist.cat%20/etc/passwd”  However. web server indexing. IDS is only useful if contingency plans are in place to curb attacks as they are occurring 18 15-441 Networks Fall 2002 . DoS attempts.  Example – IRIX vulnerability in webdist. OS fingerprinting. port scanning.cgi?distloc=?. etc.

Minor Detour… Say we got the /etc/passwd file from the IRIX server  What can we do with it?  15-441 Networks Fall 2002 19 .

Dictionary Attack  We can run a dictionary attack on the passwords – The passwords in /etc/passwd are encrypted with the crypt(3) function (one-way hash) – Can take a dictionary of words. “sdfo839f” is a good password • That is not my andrew password • Please don’t try it either 15-441 Networks Fall 2002 20 . and compare with the hashed passwords  This is why your passwords should be meaningless random junk! – For example. crypt() them all.

usually by overloading the server or network  Many different kinds of DoS attacks  – SYN flooding – SMURF – Distributed attacks – Mini Case Study: Code-Red 15-441 Networks Fall 2002 21 .Denial of Service Purpose: Make a network service unusable.

server memory is exhausted with this state  Solution: use “SYN cookies” – In response to a SYN. can recreate the forgotten information when the ACK comes in from a legitimate connection 15-441 Networks Fall 2002 22 . and forget everything else – Then.Denial of Service  SYN flooding attack  Send SYN packets with bogus source address – Why?  Server responds with SYN ACK and keeps state about TCP half-open connection – Eventually. create a special “cookie” for the connection.

Denial of Service 15-441 Networks Fall 2002 23 .

Denial of Service  SMURF – Source IP address of a broadcast ping is forged – Large number of machines respond back to victim. overloading it 15-441 Networks Fall 2002 24 .

Denial of Service ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet Perpetrator Victim 15-441 Networks Fall 2002 25 .

htm 15-441 Networks Fall 2002 26 .com/dos/grcdos.92.193 -l 65500 -n 10000 – Sends 10.71.exe 207.71.193 – Result: runs ping.Denial of Service  Distributed Denial of Service – Same techniques as regular DoS.000 64k packets to the host (655MB!) • Read more at: http://grc. but on a much larger scale – Example: Sub7Server Trojan and IRC bots • Infect a large number of machines with a “zombie” program • Zombie program logs into an IRC channel and awaits commands • Example: – Bot command: !p4 207.92.

6 billion 15-441 Networks Fall 2002 27 . 2001: over 359.000 computers infected with Code-Red in less than 14 hours – Used a recently known buffer exploit in Microsoft IIS – Damages estimated in excess of $2.Denial of Service  Mini Case Study – CodeRed – July 19.

gov from the 20th to the 28th of every month! – Spent the rest of its time infecting other hosts 15-441 Networks Fall 2002 28 .whitehouse.Denial of Service  Why is this under the Denial of Service category? – CodeRed launched a DDOS attack against www1.

Denial of Service  How can we protect ourselves? – Ingress filtering • If the source IP of a packet comes in on an interface which does not have a route to that packet. then drop it • RFC 2267 has more information about this – Stay on top of CERT advisories and the latest security patches • A fix for the IIS buffer overflow was released sixteen days before CodeRed had been deployed! 15-441 Networks Fall 2002 29 .

TCP Attacks  Recall how IP works… – End hosts create IP packets and routers process them purely based on destination address alone  Problem: End hosts may lie about other fields which do not affect delivery – Source address – host may trick destination into believing that the packet is from a trusted source • Especially applications which use IP addresses as a simple authentication method • Solution – use better authentication methods 15-441 Networks Fall 2002 30 .

HTTP uses port 80) – Sequence numbers are sometimes chosen in very predictable ways 15-441 Networks Fall 2002 31 .TCP Attacks   TCP connections have associated state – Starting sequence numbers. port numbers Problem – what if an attacker learns these values? – Port numbers are sometimes well known to begin with (ex.

you download a virus and execute it 15-441 Networks Fall 2002 32 . then the connection can be hijacked!  Attacker can insert malicious data into the TCP stream. and the recipient will believe it came from the original source  – Ex. Instead of downloading and running new program.TCP Attacks If an attacker learns the associated TCP state for the connection.

Big Ears 15-441 Networks Fall 2002 33 . Bob and Mr.TCP Attacks  Say hello to Alice.

TCP Attacks  Alice and Bob have an established TCP connection 15-441 Networks Fall 2002 34 .

TCP Attacks  Mr. Big Ears lies on the path between Alice and Bob on the network – He can intercept all of their packets 15-441 Networks Fall 2002 35 .

Big Ears must drop all of Alice’s packets since they must not be delivered to Bob (why?) Packets The Void 15-441 Networks Fall 2002 36 .TCP Attacks  First. Mr.

Mr. Big Ears sends his malicious packet with the next ISN (Initial Sequence Number) (sniffed from the network) ISN.TCP Attacks  Then. SRC=Alice 15-441 Networks Fall 2002 37 .

Big Ears is unable to sniff the packets between Alice and Bob? – Can just DoS Alice instead of dropping her packets – Can just send guesses of what the ISN is until it is accepted 15-441 Networks Fall 2002 38 .TCP Attacks  What if Mr.

TCP Attacks  Why are these types of TCP attacks so dangerous? Web server Trusting web client 15-441 Networks Fall 2002 Malicious user 39 .

so Mr.TCP Attacks How do we prevent this?  IPSec  – Provides source authentication. so Mr. Big Ears cannot talk to Bob without knowing what the session key is 15-441 Networks Fall 2002 40 . Big Ears cannot pretend to be Alice – Encrypts data before transport.

Packet Sniffing Recall how Ethernet works …  When someone wants to send a packet to some else …  They put the bits on the wire with the destination MAC address …  And remember that other hosts are listening on the wire to detect for collisions …  It couldn’t get any easier to figure out what data is being transmitted over the network!  15-441 Networks Fall 2002 42 .

it works for any broadcast-based medium  15-441 Networks Fall 2002 43 .Packet Sniffing This works for wireless too!  In fact.

what kind of information would be most useful to a malicious user?  Answer: Anything in plain text  – Passwords are the most popular 15-441 Networks Fall 2002 44 .Packet Sniffing What kinds of data can we get?  Asked another way.

Packet Sniffing  How can we protect ourselves?  SSH. not Telnet  HTTP over SSL – Especially when making purchases with credit cards!  SFTP. not FTP – Unless you really don’t care about the password or data – Can also use KerbFTP (download from MyAndrew)  IPSec – Provides network-layer confidentiality 15-441 Networks Fall 2002 45 .

to give up valuable information – Most humans will breakdown once they are at the “harmed” stage. tortured. harmed. unless they have been specially trained • Think government here… 15-441 Networks Fall 2002 46 . manipulated. bribed. etc. threatened.Social Problems  People can be just as dangerous as unprotected computer systems – People can be lied to.

I’m your AT&T rep. I’m stuck on a pole.Social Problems  Fun Example 1: – “Hi. I need you to punch a bunch of buttons for me” 15-441 Networks Fall 2002 47 .

it’s on your calling card and it’s to Egypt and as a matter of fact. we have a call that’s actually active right now. you’ve got about $2000 worth of charges on your card and … read off your AT&T card number and PIN and then I’ll get rid of the charge for you” 15-441 Networks Fall 2002 48 .Social Problems  Fun Example 2: – Someone calls you in the middle of the night • “Have you been calling Egypt for the last six hours?” • “No” • “Well.

Social Problems  Fun Example 3: – Who saw Office Space? – In the movie. where they had full access to the companies systems • What security techniques can we use to prevent this type of access? 15-441 Networks Fall 2002 49 . the three disgruntled employees installed a money-stealing worm onto the companies systems – They did this from inside the company.

depending on how bad you want the information. there are a lot of bad things you can do to get it  So. the best that can be done is to implement a wide variety of solutions and more closely monitor who has access to what network resources and information – But. this solution is still not perfect 15-441 Networks Fall 2002 50 .Social Problems  There aren’t always solutions to all of these problems – Humans will continue to be tricked into giving out information they shouldn’t – Educating them may help a little here. but.

Conclusions The Internet works only because we implicitly trust one another  It is very easy to exploit this trust  The same holds true for software  It is important to stay on top of the latest CERT security advisories to know how to patch any security holes  15-441 Networks Fall 2002 51 .

snort.org/  http://www.securityfocus.nmap.robertgraham.com/dos/grcdos.cx/newtcp/  15-441 Networks Fall 2002 52 .htm  http://lcamtuf.org/  http://grc.html  http://online.com/pubs/networkintrusion-detection.Security related URLs http://www.coredump.org/  http://www.cert.com/infocus/1527  http://www.

.0 4.0./-003/0540/  09478..339071.74:90949.0 .3057490.9.5.0714..80/89003 /.84708.8700..95.4394541#%.943.4208343./408349.03.08 3708819073 W 19084:7.09 903/745 9 W #.8247031472.-4:998 $9.:795../.09.   .41$07.9089 80.08 W 114790$-:11074..0!41.8-01470 4/0#0/.94:780.3/90.

/0893.8.97.:80!..-4:9490710/8 .9432094/ W $4:943 :80-09907.:9039.430 !74-023/48982.%!99.. 8250.0981742.70./4349..9/0.55.:9039.3/74:9078574.07 $4:7.0 W 850.4!478 3/4898.9905.//708808..//7088 4892...8 #0.0.0.80/43/0893.//7088.9438.110.088 9025:70-.9432094/8  09478..39.   .943394 -00..943..098.90!5.97:890/84:7.

%!99.884.03:2-078 54793:2-078 !74-02 .0.90/89.793806:03.3..48033 .   ..070..7389080 .8  09478.99.:08 !4793:2-078.07570/.7084209208.-0.9.03:2-078.4330..8 %!.90 $9..9438.7084209208034394-03 9 0 %%!:8085479 $06:03.91.

./.%!99.84:7...0  3890..4:8/.9014790./41/434./3.:909  09478.4330..884.4330.3/9070..3/7:33330 5747..   .0/ 99.943 90390.5039-00.3-0.2 4:/434.39490 %!8970.943 .3380792...07.09 .9.20174290473.3/00.90/%! 89..8 1.73890.99.070.3.2 .7:8.

%!99.   ..0494.0 4-.3/7 .8 $.78  09478.

.   .0.%!99.8 .3089.0.4330..3/4-.943  09478.-80/%! .

059.8 7 .098  09478..   .9-09003.419075.%!99.33907...780843905.3/4-439030947 0.0 .

.%!99.0902:89349-0/0.070/94 4-  !.09883...098 %0'4/  09478.   .0 8 5.782:89/745.41.8 789 7 .

%!99.   ..4:8 5.$06:03.09990309$ 39.0  09478..8 %03 7 .78803/882..0 :2-07 83110/17429030947 $ $#.

3:89803/:0880841..0590/  09478.098 .03890.917 .3:894$./41/7455307 5.%!99..098-09003.-094831190 5.788:3.   ..0.990$8:399 8..3/4- ..8 .

4:8:807  ..039  09478.99..8 .884 /.%!99.709080950841%!.3074:8 0-807.  .07 %7:8930-..

8 4/40570..33499.7598/.78 .03998 !$0.-0147097.3349570903/94-0.385479 847 .944-94:9343.990 80884308  09478.:9039.   .9..943 847 .%!99. !74..0 3.0./0884:7.78 ..

03:9070.90/94980. 474:70342039 0708842093 .9:70  09478.425090:370.   ..

30.09$3113 #0.949074898..7089033 43907094/090.4907309478 038420430.9.943.4:/3 909.!.079030947  09478..807941:704:9.9 /.   .0994 8420080 %05:990-98439070990 /0893.5.382990/4.9147.//7088 3/70202-079.48438 9..8-0397.39894803/.

89 -./..80/ 20/:2  09478.9 9478147.   .!..09$3113 %847814770088944 31.3-74..

   .93/841/.3909 !.943 4:/-02489:801:94..9.70902489545:.2...4:8:807 380739335.93/4131472.7  09478.3009 80/..09$3113 .!. .34907.8847/8.

35:7.94:780.07$$ 850.9. /43 9.431/039..8089.!..08 $$ 349%0309 %%!4.07.9  09478.. !74.84:8007-%! /434.3.   ..8847/47/.09$3113 4./0830947 .70...032.-4:9905./17423/70 !$0.3057490.7/8 $%! 349%! &30884:70.70/9. .

$4./4343.!74-028 !0450..38-70..0 :308890.70.720/ 89.-031472.90/ -7-0/  970.8/..9 90 .90/.090.3074:8.   ...0-003 850.35:.30/ W %34.425:907889028 !0450.943 489:2.3-00/94 2.:.8 :357490.9030/ .3-0:89.97.0732039070  09478.0:5 ..720/ 9479:70/ 09. 94.

540  300/4:945:3.-:3.41-:9943814720  09478.250   24:7% %705  289:..   .43..$4.!74-028 :3.

35914790....-4:9 47941 .8984:78 W 4 W 0 0.9907411..   .708434:7..3/.049.07934  9 8434:7./4114:7% %.7/..9 4: ..3/!.3/903 097/4190.$4.0.3/ 70..8..250 $420430..3..7/. 2..9.7/ 3:2-07.04:-003.3/9 89459.!74-028 :3.9...84:3902//0419039 W ...9 8..70147 4:  09478.9:.

0 909700/87:390/0254008 389.308889028 W .30:8094570.:7990.3472439490 ./1:.250 48..425.425.088  09478.425...0/...980.!74-028 :3.308889028 %0//98174238/0 90.088 9490.03998 95041.0$5.2430 890..3 070 90..   . 11.36:08.0 39024.$4.

0/394.3/2470.94390 84:/3 9 /:..70.05.9  09478.990070 -:9 /0503/3434-.4393:094-097..703 9.3/494 099 $4 90-0899.943 9070.!74-028 %070.3-0/4308942502039.399031472.38./9384:.8.$4.9309477084:7.939022..9..943 :9 9884:94388934950710.419080574-028 :2.08.34:931472..709 4184:9438.4802439474..3/31472..4941-.08894 ./0../ 4:.884:943894.   .

847089434494 5.34907 98.380./.43.9089 #%80..439454190.070.204/897:01478419.   .89405499897:89 %08.:8438 %0390730947843-0.:80025..70 9825479.9.:79.399489.9 97:89430.:79408  09478.

$0.90/&#8 995.:7970.

.

42. 74-0797..2 .

5:-8.

943 92 995.30947 397:843 /090.

.

4330 80.42.:7914.:8 .

:8.314.

 995.

.

 83479 47.

995.

.

079 47. .

995.

.

 32.5 47.

995.

.

.7.42.

/48.

/48 92 995.7.

.

.29:1 ..470/:25 ..

5.309.

   .  09478.