Security Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition
Types of Attackers l Wizard Internet Hackers l l Highly capable attackers Amateurs (Script Kiddies) l Light skills, but numerous and armed with automated attack programs (kiddie scripts) of increasing potency 2
Types of Attackers l Criminals l Theft of credit card numbers, trade secrets, and other sensitive information l Sell the information or attempt extortion to prevent the release of the information l Individual criminals l Industrial and government espionage spies 3
Types of Attackers l Employees l Dangerous because of internal knowledge and access l Often, large losses per incident due to theft, fraud, or sabotage 4
Types of Attackers l Information Warfare and Cyberterrorism l Massive attack by a government or terrorist group against a country’s IT infrastructure l Attacks by amateur cyberterrorists are already starting to approach this level of threat 5
Types of Security Systems Secure Communication System Message Exchange Client PC Server Attacker Taps into the Conversation: Tries to Read Messages, Alter Messages, Add New Messages 6
Types of Security Systems Attack Prevention System Hardened Client PC Attack Message Firewall Internet Attacker Hardened Server With Permissions Corporate Network 7
Attacks Requiring Protection l Hacking Servers l l l Access without permission or in excess of permission Attractive because of the data they store Hacking Clients l Attractive because of their data or as a way to attack other systems by using the hacked client as an attack platform l Soft targets compared to servers; most users are security novices 8
Attacks Requiring Protection l Denial-of-Service (Do. S) Attacks l Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability Single Message DOS Attack (Crashes the Victim) Server Attacker 9
Attacks Requiring Protection l Denial-of-Service (Do. S) Attacks l Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability. Message Stream DOS Attack (Overloads the Victim) Server Attacker 10
Denial-of-Service Attacks Distributed DOS (DDo. S) Attack: Messages Come from Many Sources Message Stream Computer with Zombie Attack Command Attacker Attack Command Server Message Stream Computer with Zombie 11
Attacks Requiring Protection l Scanning Attacks l To identify victims and ways of attacking them l Attacker sends messages to select victims and attack methods l Examines data that responses reveal l IP addresses of potential victims l What services victims are running; different services have different weaknesses l Host’s operating system, version number, etc. 12
Attacks Requiring Protection l Malicious Content l Viruses l Infect files; propagate by executing infected program l Payloads may be destructive l Worms; propagate by themselves l Trojan horses (appear to be one thing, such as a game, but actually are malicious) l Snakes: combine worm with virus, Trojan horses, and other attacks 13
Attacks Requiring Protection l Malicious Content l Illegal content: pornography, sexual or racial harassment l Spam (unsolicited commercial e-mail) l Security group is often called upon to address pornography, harassment, and spam 14
Packet Filter Firewall Corporate Network The Internet IP-H Packet Filter Firewall UDP-H Application Message IP-H Permit TCP-H Application Message ICMP Message Arriving Packets Examines Packets in Isolation Fast but Misses Some Attacks Deny 15
Access Control List Fragment l For Packets Containing TCP Segments: l Rule 1 l IF Interface = Internal l AND (Source Port Number = 7056 OR Source Port Number = 8002 through 8007) l THEN DENY l Remark: Used by a well-known Trojan horse program. 16
Access Control List Fragment l Rule 2: l IF Interface = External l AND Destination Port Number = 80 l AND Destination IP address = 172. 16. 210. 22 l THEN PERMIT l Remark: Going to a known webserver. 17
Access Control List Fragment l Rule 3: l IF Interface = External l AND Destination Port Number = 80 l AND Destination IP Address = NOT 172. 16. 210. 22 l THEN DENY l Remark: Going to an unknown webserver. 18
Access Control List Fragment l Rule 4: l IF Interface = External l AND (SYN = AND FIN = Set) l THEN DENY l REMARK: Used in host scanning attacks and not in real transactions. 19
Access Control List Fragment l Order l Rules are executed in order l If passed or denied by one rule, will not reach subsequent rules l Mis-configuration is easy, opening the network to attack l Always test a firewall by hitting it with attack messages to see if they are handled properly 20
Stateful Firewall l Beyond what is In the book Does not examine packets in isolation l Examines each packet to see if it is part of an ongoing conversation l Catches errors that packet filter firewalls cannot l Refuses a TCP acknowledgement if an internal host has not opened a connection to that host l Usually does not examine a packet in detail if the packet is part of an ongoing conversation l This can miss attack packets 21
Application (Proxy) Firewall 1. HTTP Request Browser FTP Proxy Client PC Webserver Application HTTP Proxy SMTP (E-Mail) Proxy Application Firewall Webserver 22
Application (Proxy) Firewall 2. Examined HTTP Request Browser FTP Proxy Client PC Webserver Application HTTP Proxy SMTP (E-Mail) Proxy Application Firewall Webserver 23
Application (Proxy) Firewall Browser FTP Proxy Client PC 3. HTTP Response HTTP Proxy Webserver Application SMTP (E-Mail) Proxy Application Firewall Webserver 24
Application (Proxy) Firewall Browser 4. Examined HTTP Response FTP Proxy Client PC Webserver Application HTTP Proxy SMTP (E-Mail) Proxy Application Firewall Webserver 25
Application (Proxy) Firewall l Can examine the application message to filter packets by application content l If hacker takes over the proxy firewall, has not taken over the internal clients, with which it only has indirect contact l Internal client’s IP address is hidden. All packets sent back by the server have the address of the application proxy server. l Need a separate proxy program for each application 26
Network Address Translation (NAT) From 172. 47. 9. 6, Port 31789 From 192. 168. 34. 2, 1 Port 13472 2 Internet Client NAT Firewall Translation Table Server Host Internal External IP Addr Port 172. 47. 9. 6 31789 192. 168. 34. 2 13472 … … 27
Network Address Translation (NAT) Internet Client NAT 4 Firewall To 172. 47. 9. 6, Port 31789 3 To 192. 168. 34. 2, Port 13472 Translation Table Server Host Internal External IP Addr Port 172. 47. 9. 6 31789 192. 168. 34. 2 13472 … … 28
Intrusion Detection 4. Analysis of Dump 2. All Packets 1. Attack Packet Attacker Internal Host Network Administrator 3. Notification of Possible Attack Intrusion Detection System 1. Legitimate Packet Legitimate Host 29
Firewalls versus Intrusion Detection New Not in the book l Firewalls permit or deny traffic based on filtering rules l Intrusion detection systems (IDSs) only save and mark certain packets as suspicious; do not take action l Some firewalls issue alterts when packets are dropped and most firewalls log all drops l IDSs identify all suspicious packets, many of which turn out to be acceptable; firewall drop rules are more specific 30
Hardening Clients and Servers l Known Weaknesses l l Known security weaknesses in operating systems and application programs Most download vendor patches to fix these known weaknesses Firms often fail to do so (vendors issue 30 -50 patches per week); must be installed on each server Host Firewalls l Server firewalls and personal (client) firewalls 31
Hardening Clients and Servers l Server Authentication l Passwords l Cracking with exhaustive search and dictionary attacks l Strong passwords l Super accounts 32
Hardening Clients and Servers l Server Authentication l Rules for Strong Passwords l At least 8 characters long l At least one change of case l At least one digit (0 -9) not at the end l At least one non-alphanumeric character (#@%^&*!) not at the end 33
Kerberos Authentication (Simplified) 1. Initial Sign On 2. Applicant q Re Kerberos Server t ke Tic t es u 3. Ticket 4. Ticket Verifier 34
Hardening Clients and Servers l Server Authentication l Biometric authentication l l Iris: most accurate l Face recognition: controversial in public places for mass identification l l Fingerprint: least expensive Other forms of biometric identification Smart cards (ID card with microprocessor and data) 35
Hardening Clients and Servers l Limiting Permissions on Servers (Ch. 10) l Only permit access to some directories l Limit permissions (what the user can do) there l Like controlling access to a building; not allowed to go anywhere and remove items, etc. 36
Secure Communication System 1. Initial Negotiation of Security Parameters 2. Mutual Authentication Client PC 3. Key Exchange or Key Agreement Server 4. Subsequent Communication with Message-by-Message Confidentiality, Authentication, and Message Integrity 37
Symmetric Key Encryption for Confidentiality Symmetric Key Plaintext “Hello” Encryption Method & Key Ciphertext “ 1101” Network Interceptor Party A Same Symmetric Key Party B 38
Symmetric Key Encryption for Confidentiality Symmetric Key Ciphertext “ 1101” Network Party A Interceptor Same Symmetric Key Ciphertext “ 1101” Party B 39
Symmetric Key Encryption for Confidentiality Symmetric Key Same Symmetric Key Network Party A Interceptor Ciphertext “ 1101” Decryption Method & Key Plaintext “Hello” Party B 40
Public Key Encryption for Confidentiality Encrypt with Party B’s Public Key Party A Decrypt with Party B’s Private Key Party B 41
Public Key Encryption for Confidentiality Party A Decrypt with Party A’s Private Key Party B Encrypt with Party A’s Public Key 42
MS-CHAP Challenge-Response Authentication Protocol Note: Both the Client and the Server Know the Client’s Password 1. Creates Challenge Message Challenge 2. Sends Challenge Message Applicant Verifier 43
MS-CHAP Challenge-Response Authentication Protocol 3. Applicant Creates the Response Message: a) Adds Password to Challenge Message b) b) Hashes the Resultant Bit String Password Challenge Hashing Response c) c) This Gives the Response Message 44
MS-CHAP Challenge-Response Authentication Protocol 4. Applicant Sends Response Message Transmitted Response Password Challenge Hashing Expected Response 5. Verifier Adds password to the challenge message it sent. Hashes the combination. This should be the expected response message. 45
MS-CHAP Challenge-Response Authentication Protocol Transmitted Response = ? Expected Response 6. If the Two are Equal, The Client Knows the Password and is Authenticated 46
Digital Signature DS Plaintext Sender Receiver Add Digital Signature to Each Message Provides Message-by-Message Authentication 47
Digital Signature: Sender To Create the Digital Signature: 1. Hash the plaintext to create 2. a brief message digest; This is 3. NOT the digital signature 4. 2. Sign (encrypt) the message 5. digest with the sender’s private 6. key to create the digital 7. Signature Plaintext Hash MD Sign (Encrypt) MD with Sender’s Private Key DS 48
Digital Signature Send Plaintext plus Digital Signature Encrypted with Symmetric Session Key DS Sender Encrypts Plaintext Transmission Receiver Decrypts 49
Digital Signature: Receiver 1. 2. Received Plaintext DS Hash MD Decrypt with True Party’s Public Key 3. Are they Equal? MD Hash the received plaintext with the same hashing algorithm the sender used. This gives the message digest 2. Decrypt the digital signature with the sender’s public key. This also should give the message digest. 3. If the two match, the message is authenticated; The sender has the true Party’s private key 50
Public Key Deception Impostor Verifier “I am the True Person. ” Must authenticate True Person. “Here is TP’s public key. ” (Sends Impostor’s public key) Critical Deception Believes now has TP’s public key “Here is authentication based on TP’s private key. ” (Really Impostor’s private key) Believes True Person is authenticated based on Impostor’s public key Decryption of message from Verifier encrypted with Impostor’s public key, so Impostor can decrypt it “True Person, here is a message encrypted with your public key. ” 51
Digital Certificates l Digital certificates are electronic documents that give the true party’s name and public key l Applicants claiming to be the true party have their authentication methods tested by this public key l If they are not the true party, they cannot use the true party’s private key and so will not be authenticated 52
Public Key Infrastructure (PKI) Certificate Authority PKI Server Verifier (Brown) Verifier (Cheng) Create & Distribute (1) Private (2) Key and (3) (2) Digital (4) Certificate Applicant (Lee) 53
Public Key Infrastructure (PKI) Certificate Authority PKI Server 3. Request Certificate for Brown Verifier (Cheng) 4. Certificate for Brown Verifier (Brown) Applicant (Lee) 54
Public Key Infrastructure (PKI) Certificate Authority PKI Server 6. Check Certificate Revocation List (CRL) For Lee’s Digital Certificate 7. Revoked or OK Verifier (Cheng) Verifier (Brown) 5. Certificate for Lee Applicant (Lee) 55
Security at Multiple Layers Layer Example Application-specific (for instance, passwords for a database program); Application (Proxy) Firewalls Transport SSL (TLS), Packet Filter Firewalls Internet IPsec, Packet Filter Firewalls Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L 2 TP) Data Link Physical locks on computers, Notebook Encryption 56
Security at Multiple Layers l Having security at multiple layers provides protection if one layer’s security fails l Having security at multiple layers also slows processing on the device l So provide protection in at least two layers but not in all layers 57
Creating Appropriate Security l Understanding Needs l l l Need to make security proportional to risks Organizations face different risks Policies and Enforcement l Policies bring consistency l Training in the importance of security and in protection techniques l Social engineering prevention training 58
Creating Appropriate Security l Policies and Enforcement l Security audits: attack your system proactively l You must really be able to trust your testers l Incident handling Restoring the system l Prosecution l Planning and practicing l l Privacy l Need to protect employee & customer privacy 59
Скачать презентацию Security Copyright 2003 Prentice-Hall Panko s Business Data Networking
3feaf1938a5a6b2abafda47b7b590981.ppt