Chapter 5 Security in network

Network
Resource Sharing Data transmissions/ Information sharing Communication

Computer network
The merging of computers and communications has had a profound influence on the way computer systems are organized. The concept of a large computer to which users bring their work for processing is now totally obsolete. The old model of a single computer serving all of the organization's computational needs has been replaced by one in which a large number of separate but interconnected computers do the job. These systems are called computer networks.

Networks are both fragile and strong. To see why, think about the power, cable television, telephone, or water network that serves your home. If a falling tree branch breaks the power line to your home, you are without electricity until that line is repaired; you are vulnerable to what is called a single point of failure, because one cut to the network destroys electrical functionality for your entire home.

LAN
Local area networks, generally called LANs, are privately-owned networks within a single building or campus of up to a few kilometers in size. They are widely used to connect personal computers and workstations in company offices and factories to share resources (e.g., printers) and exchange information. LANs are distinguished from other kinds of networks by three characteristics: (1) Their size, (2) Their transmission technology, (3) Their topology. LANs are restricted in size, which means that the worst-case transmission time is bounded and known in advance. Knowing this bound makes it possible to use certain kinds of designs that would not otherwise be possible. It also simplifies network management.

Various topologies are possible for broadcast LANs are BUS, RING.

Metropolitan Area Networks

A metropolitan area network, or MAN, covers a city. The best-known example of a MAN is the cable television network available in many cities. This system grew from earlier community antenna systems used in areas with poor over-the-air television reception. In these early systems, a large antenna was placed on top of a nearby hill and signal was then piped to the subscribers' houses. these were locally-designed, ad hoc systems. Then companies began jumping into the business, getting contracts from city governments to wire up an entire city. The next step was television programming and even entire channels designed for cable only. Often these channels were highly specialized, such as all news, all sports, all cooking, all gardening, A metropolitan area network based on cable TV.

WAN
Wide Area Network. It is similar to a Local Area Network (LAN), but it's a lot bigger. Unlike LANs, WANs are not limited to a single location. Many wide area networks span long distances via telephone lines, fiber-optic cables, or satellite links. They can also be composed of smaller LANs that are interconnected. The Internet could be described as the biggest WAN in the world. You could even call the Internet a Super WAN BAM if you wanted to. Or maybe not.

***IMP*** Simplest network workstation <------------------------------------> (client) communication medium host (server)

More typical networks: many clients connected to many servers Basic terms: Node can include a number of hosts (computers) Host Link connects hosts

Environment of use for networks Portions of network are exposed (not in protected space) Owned/controlled by different organizations/people Sometimes in unfriendly or hostile environment Typical network characteristics Anonymity of users On the Internet, nobody knows youre a dog Automation Minimal human supervision of communication Shortening the distance Cant tell if another uses is far away or next door Opaqueness Users dont know characteristics of system they talk to (Largesmall? Modestpowerful? Same as last time or not?) Routing diversity Dynamic routing for reliability & performance

***

Media

Communication media include: 1) Cable Copper wires - left-over from plain old telephone service (POTS) era Twisted pair or unshielded twisted pair (UTP) Twisting reduces crossover/interference 10 Mbps, 300 ft (w/o boost) Used locally or to connect to a communication drop Coaxial cable as used for cable TV Ethernet cable most common 100 Mbps, 1500 ft (w/o repeaters for digital signals or amplifiers for analog signals) 2) Optical fiber Newer form of cable strands of glass Carry pulses of light 1000 Mbps, 2.5 miles Less crossover/interference, lower cost, lighter Used to replace copper (most long-dist. lines are fiber now) 3) Wireless Short-range radio communication Protocol: 802.11 family of standards 4) Microwave Form of radio communication Bandwidth as for coax cable A hop limited to 30 miles by line-of-sight transmission & earth curvature Well-suited for outdoor transmission No need for repeaters 5) Infrared Line-of-sight transmission Convenient for portable devices Typically used in protected space (an office) 6) Satellite a. Geosynchronous orbit (GEO) - incl. geostationary over equator Speeding satellite seems to be fixed over a point on earth 22,240 miles (35,786 km) orbit, period: 1 day For some communication apps, satellites are alternative to intercontinental cables on the ocean bottom Good for TV

Bad for telephones Delay: earth-satelliteearth b. Low earth orbit (LEO) Seen from earth as moving satellites ~95 miles (150 km) above the earth, period: 90 minutes Cover~660 miles (1000 km) radius For full coverage require a satellite constellation E.g., Iridium plans: 66 satellites

Protocol
ISO OSI Reference Model OSI Name Layer 7 Application 6 5 4 3 2 Presentation Session Transport Network Data Link Activity User-level messages Standardized data text compression appearance, blocking,

Sessions/logical connections among parts of an app; msg sequencing, recovery Flow control, end-to-end error detection & correction, priority service Routing, msg same-sized packets Reliable data delivery over physical medium; transmission error recovery, packets same-sized frames Actual communication medium; transmits bits across physical

Physical

TCP /IP
Layer Application Action Responsibilities

Prepare messagesUser interaction, addressing from user interaction Convert messagesSequencing of packets, to packets reliability (integrity), error correction Convert packets toFlow control, routing datagrams Transmit datagramsActual data communication as individual bits

Transport

Internet Physical

Threats in Networks Here we start for protecting our network

What Makes a Network Vulnerable?
An isolated home user or a stand-alone office with a few employees is an unlikely target for many attacks. But add a network to the mix and the risk rises sharply. Consider how a network differs from a standalone environment:

Anonymity. o An attacker can mount an attack from thousands of miles away and never come into direct contact with the system, its administrators, or users. The potential attacker is thus safe behind an electronic shield. The attack can be passed through many other hosts in an effort to disguise the attack's origin. Many points of attackboth targets and origins.
o

When a file is stored in a network host remote from the user, the data or the file itself may pass through many hosts to get to the user. One host's administrator may

enforce rigorous security policies, but that administrator has no control over other hosts in the network. Thus, the user must depend on the access control mechanisms in each of these systems. An attack can come from any host to any host, so that a large network offers many points of vulnerability.

Sharing.
o

Because networks enable resource and workload sharing, more users have the potential to access networked systems than on single computers. Perhaps worse, access is afforded to more systems, so that access controls for single systems may be inadequate in networks.

Complexity of system
o

A network combines two or more possibly dissimilar operating systems. Therefore, a network operating/control system is likely to be more complex than an operating system for a single computing system. The ordinary desktop computer today has greater computing power than did many office computers in the last two decades. The attacker can use this power to advantage by causing the victim's computer to perform part of the attack's computation. And because an average computer is so powerful, most users do not know what their computers are really doing at any moment: What processes are active in the background while you are playing Invaders from Mars? This complexity diminishes confidence in the network's security.

Unknown path.
o

Suppose that a user on host A1 wants to send a message to a user on host B3. That message might be routed through hosts C or D before arriving at host B3. Host C may provide acceptable security, but not D. Network users seldom have control over the routing of their messages.

Who attacks networks?

Who are the attackers? We dont have a name list Who the attackers might be?

MOM will help to answer this MOM = Method/Opportunity/Motive Motives of attackers: 1) Challenge/Power 2) Fame 3) Money/Espionage 4) Ideology _______________________________________________________________________ _

1) Attacking for challenge/power Some enjoy intellectual challenge of defeating supposedly undefeatable Successful attacks give them sense of power Not much challenge for vast majority of hackers Just replay well-known attacks using 2] Attacking for fame Some not satisfied with challenge only Want recognition even if by pseudonym only Thrilled to see their pseudonym in media 3) Attacking for money/espionage Attacking for direct financial gains Attacking to improve competitiveness of ones com/org 7/2002: Princeton admissions officers broke into Yales system Attacking to improve competitiveness of ones country Some countries support industrial espionage to aid their own industries Attacking to spy on/harm another country Espionage and information warfare Steal secrets, harm defense infrastructure, etc. Few reliable statistics mostly perceptions of attacks 1997-2002 surveys of com/gov/edu/org: ~500 responses/yr 38-53% believed they were attacked by US competitor 23-32% believed they were attacked by foreign competitor 4) Attacking to promote ideology Two types of ideological attacks: Hactivism

Disrupting normal operation w/o causing serious damage Cyberterrorism Intent to seriously harm Including loss of life, serious economic damage

*** IMP ***Threat precursors

How attackers prepare for attacks? Investigate and plan These are threat prescursors If we detect threat precursors, we might be able to block attacks before theyre launched Threat prescursors techniques include: 1. 2. 3. 4. 5. 6. Port scan Social engineering Reconnaissance OS and application fingerprinting Using bulletin boards and chats Getting available documentation

Port Scan

To gather network information is to use a port scan. For a particular IP address, reports which ports respond to messages and which of several known vulnerabilities seem to be present. Port scanning tells an attacker three things: 1) Which standard ports or services are running and responding on the target system. 2) What operating system is installed on the target system? 3) What applications and versions of applications are present? This information is readily available for the asking from a networked system; it can be obtained quietly, anonymously, without identification or authentication, drawing little or no attention to the scan.

Port scanning tools are readily available 1) Nmap 2) NetCap 3) Port Scanner

Social Engineering
The port scan gives an external picture of a network where are the doors and windows, of what are they constructed, to what kinds of rooms do they open? The attacker also wants to know what is inside the building. What better way to find out than to ask? For Example Suppose, while sitting at your workstation, you receive a phone call. "Hello, this is John Davis from IT support. We need to test some connections on the internal network. Could you please run the command ipconfig/all on your workstation and read to me the addresses it displays?" The request sounds innocuous. But unless you know John Davis and his job responsibilities well, the caller could be an attacker gathering information on the inside architecture. Social engineering involves:1) Using social skills 2) Personal interaction to get someone to reveal securityrelevant information and perhaps even to do something that permits an attack. Because the victim has helped the attacker (and the attacker has profusely thanked the victim), the victim will think nothing is wrong and not report the incident. Thus, the damage may not be known for some time. An attacker has little to lose in trying a social engineering attack. At worst it will raise awareness of a possible target. But if the social engineering is directed against someone who is not skeptical, especially someone not involved in security management, it may well succeed. We as humans like to help others when asked politely. ***IMP*** Example: Phone call asking for system info ****Never provide system info to a caller ****Ask for identification Best: Refer to help desk or proper system/security authority If contact with sys/sec auth impossible, you might consider calling back but using phone number known to you from independent source (not the number given by the caller) Independent source: known beforehand, obtained from company directory, etc.

Reconnaissance
= collecting discrete bits of security information from various sources and putting them together Reconnaissance techniques include: Dumpster diving Eavesdropping o E.g., follow employees to lunch, listen in Befriending key personnel (social engg!) Reconnaissance requires little training, minimal investment, limited time BUT can give big payoff in gaining background info

OS and application fingerprinting

= finding out OS/app name, manufacturer and version by using peculiarities in OS/app responses Example: Attackers approach Earlier port scan (e.g., nmap) reveals that port 80 HTTP is running Attacker uses Telnet to send meaningless msg to port 80 Attacker uses response (or a lackof it) to infer which of many possible OS/app it is Each version of OS/app has its fingerprint (pecularities) that reveals its identity (manufacturer, name, version)

How can the attacker answer these questions? The network protocols are standard and vendor independent. Still, each vendor's code is implemented independently, so there may be minor variations in interpretation and behavior. The variations do not make the software noncompliant with the standard, but they are different enough to make each version distinctive. For example, each version may have different sequence numbers, TCP flags, and new options. To see why, consider that sender and receiver must coordinate with sequence numbers to implement the connection of a TCP session. Some implementations respond with a given sequence number, others respond with the number one greater, and others respond with an unrelated number. Likewise, certain flags in one version are undefined or incompatible with others. How a system responds to a

prompt (for instance, by acknowledging it, requesting retransmission, or ignoring it) can also reveal the system and version. Finally, new features offer a strong clue: A new version will implement a new feature but an old version will reject the request. All these peculiarities, sometimes called the operating system or application fingerprint.

Bulletin Boards and Chats

The Internet is probably the greatest tool for sharing knowledge since the invention of the printing press. It is probably also the most dangerous tool for sharing knowledge. Numerous underground bulletin boards and chat rooms support exchange of information. Attackers can post their latest exploits and techniques, read what others have done, and search for additional information on systems, applications, or sites.

Availability of Documentation

The vendors themselves sometimes distribute information that is useful to an attacker. For example, Microsoft produces a resource kit by which application vendors can investigate a Microsoft product in order to develop compatible, complementary applications. This toolkit also gives attackers tools to use in investigating a product that can subsequently be the target of an attack.

Threats in Transit: Eavesdropping and Wiretapping

The easiest way to attack is simply to listen in. An attacker can pick off the content of a communication passing in the clear. The term eavesdrop implies overhearing without expending any extra effort. For example, we might say that an attacker (or a system administrator) is eavesdropping by monitoring all traffic passing through a node. The administrator might have a legitimate purpose, such as watching for inappropriate use of resources (for instance, visiting non-work-related web sites from a company network) or communication with inappropriate parties (for instance, passing files to an enemy from a military computer). A more hostile term is wiretap, which means intercepting communications through some effort. Passive wiretapping :- just "listening," much like eavesdropping. Active wiretapping:- injecting something into the communication.

For example, Marvin could replace Manny's communications with his own or create communications purported to be from Manny. Originally derived from listening in on telegraph and telephone communications, the term wiretapping usually conjures up a physical act by which a device extracts information as it flows over a wire. But in fact no actual contact is necessary. A wiretap can be done covertly so that neither the sender nor the receiver of a communication knows that the contents have been intercepted. Wiretapping cables Via packet sniffer for Ethernet or other LAN Msgs broadcast onto Ethernet or other LAN Reads all data packetsnot only ones addressed to this node By means of inductance Using radiation emitted by cable Tap must be close to cable By splicing / connecting to cable Can be detected by resistance/impedance change Note: If signal multiplexed (on WANs), wiretapper must extract packets of interest from intercepted data. 2) Wiretapping microwave Signal broadcast thru air, dispersed => accessible to attackers Very insecure medium Protected by volume carries a lot of various data, multiplexed 3) Wiretapping satellite links Very wide signal dispersion (even k*100 by n*1,000 mi) => easy to intercept Protected by being highly multiplexed