© 2009 Pearson Education, Inc. Publishing as Prentice Hall Chapter 9 Updated January 2009 Raymond Panko’s Business Data Networks and Telecommunications,

© 2009 Pearson Education, Inc. Publishing as Prentice Hall

Chapter 9Updated January 2009

Raymond Panko’sBusiness Data Networks and Telecommunications, 7th edition

May only be used by adopters of the book

Security

© 2009 Pearson Education, Inc. Publishing as Prentice Hall9-2

9-1: Security

• A Major Threat

• Intelligent Adversaries

– Not just human error to content with

– Adapt to defenses

• Recap from Chapter 1

– Authentication

– Cryptography for messages

– Firewalls

– Host hardening


9-2: Basic Terminology

• Understand the Organization’s Security Needs

– To do this, understand the threat environment

– Types of attacks a company faces and will face in the future

• Successful Attacks Are Called

– Compromises

– Incidents

– Breaches


9-3: Malware

• Malware

– A general name for evil software

• Viruses

– Pieces of code that attach to other programs

– Virus code executes when infected programs execute

– Infect other programs on the computer

– Spread to other computers by e-mail attachments, IM, peer-to-peer file transfers, etc.

– Antivirus programs are needed to scan arriving files

• Also scan for other malware


9-3: Malware

• Worms

– Stand-alone programs that do not need to attach to other programs

– Can propagate like viruses through e-mail, etc.

• This requires human gullibility, which is unreliable and slow


9-3: Malware

• Worms

– Vulnerability-enabled worms jump to victim hosts directly

• Can do this because hosts have vulnerabilities

– Vulnerability-enabled worms can spread with amazing speed

– Vendors develop patches for vulnerabilities, but companies often fail or are slow to apply them

InfestedComputer

Computerwith

Vulnerability


9-3: Malware

• Payloads

– After propagation, viruses and worms execute their payloads

– Payloads erase hard disks or send users to pornography sites if they mistype URLs

– Trojan horses are exploitation programs that disguise themselves as system files

– Spyware Trojans collect sensitive data and send the data it to an attacker


9-4: Attacks on Individuals

• Social Engineering

– Tricking the victim into doing something against his or her interests

• Spam

– Unsolicited commercial e-mail

• Fraud

– Deceiving individuals to get them to do things against their interests

• Taking the Reader to a Web site with Malware


9-4: Attacks on Individuals

• Credit Card Number Theft

– Performed by carders

• Identity theft

– Involves collecting enough data to impersonate the victim in large financial transactions

• Phishing

– A sophisticated social engineering attack in which an authentic-looking e-mail or Web site entices the user to enter his or her username, password, or other sensitive information


9-5: Human Break-Ins

• Human Break-Ins

– Viruses and worms rely on one main attack method

– Humans can keep trying different approaches until they succeed

• Hacking

– Hacking is breaking into a computer

– More precisely, hacking is intentionally using a computer resource without authorization or in excess of authorization



• Scanning Phase

– Send attack probes to map the network and identify possible victim hosts

– The Nmap program is popular for scanning attacks (Figure 9-6)


Figure 9-6: Nmap Scanning Output

IP Range to Scan

Type of Scan

Identified Host and

Open Ports



• The Break-In

– Uses an exploit—a tailored attack method that is often a program

– Normally exploits a vulnerability on the victim computer

– Often aided by a hacker tool

– The act of breaking in is called the exploit

– The hacker tool is also called an exploit



• After the Break-In

– The hacker downloads a hacker tool kit to automate hacking work

– The hacker becomes invisible by deleting log files

– The hacker creates a backdoor (way to get back into the computer)

• Backdoor account—account with a known password and full privileges

• Backdoor program—program to allow reentry; usually Trojanized



• After the Break-In

– The hacker can then do damage at his or her leisure

• Download a Trojan horse to continue exploiting the computer after the attacker leaves

• Manually give operating system commands to do damage


9-7: Distributed Denial-of-Service (DDoS) Attack Using Bots

In a distributed denial-of-service attack,the attacker floods the victim computer(or network) with more traffic than the

victim can handle. Legitimate users aredenied service from the unavailable server.



The attackerinstalls Bot programs

on many PCs.

This is calleda botnet.



When it istime to attack

the victim,the attackersends attackcommands toall of the Bots.



The Bots then beginflooding the victim

with attack packets,rendering the victimunavailable to users


9-8: Bots

Bots can be updatedby their human master

to fix bugs or togive new functionality—for instance, to change

the Bot from a DOSattacker to a spambot.


9-9: Types of Attackers

• Traditional Attackers

– Traditional Wizard Hackers

• Hackers break into computers

• Driven by curiosity, a desire for power, and peer reputation

– Virus writers



• Traditional Attackers

– Script kiddies use scripts (easy to use attack programs) written by experienced hackers and virus writers

• Script kiddies have limited knowledge and abilities

• But large numbers of script kiddies make them dangerous

– Disgruntled employees and ex-employees



• Criminal Attackers

– MOST attacks are now made by criminals

– Crime generates funds that criminal attackers need to increase attack sophistication

– Computer crime today is larger than drug crime!


9-9: Types of Attackers (Cont.)

• On the Horizon

– Cyberterror attacks by terrorists• Attacks on technology• Destroy communication after physical attack for chaos

– Cyberwar by nations• Espionage• Attacks on national cyberinfrastructures

– Potential for truly massive attacks


9-10: Security Planning

• Security Is a Management Issue, Not a Technical Issue

– Without good management, technology cannot be effective

– A company must have good security processes





• Security Planning Principles

– Risk analysis

• Risk analysis is the process of balancing threats and protection costs for individual assets

• Cost of protection should not exceed the cost of likely damage

• Absolute protection is impossible. Financially reasonable protection is not




– Comprehensive security

• An attacker has to find only one weakness

• A firm needs comprehensive security to close all avenues of attack




– Defense in depth

• Every protection breaks down sometimes

• An attacker should have to break through several lines of defense to succeed

• Providing this protection is called defense in depth

Countermeasure2

Stops the Attack

Countermeasure1

(fails)




– Access control

• Limit access to resources to legitimate users

• Give legitimate users minimum permissions (things they can do)



• Access Control Planning for Individual Resources

– Firms must enumerate and prioritize the resource they have to protect

– Otherwise, security planning is impossible

– Enormous task



• Access Control Planning for Individual Resources

– Companies Must Then Develop an Access Control Plan for Each Resource

• The plan includes the AAA protections

• Authentication is proving the identity of the person wishing access

• Authorization is determining what the person may do if he or she is authenticated

• Auditing is logging data on user actions for later appraisal


9-11: Authentication with a Central Authentication Server

1.The supplicant sends its credentials to the verifier.



2.The verifier passes the credentials to

a central authentication server.

3.The central authentication server

checks the credentials.If the credentials are correct, the

authentication server sends an OK tothe verifier, along with authorizations.

1



Central authentication servers bring consistency.

All supplicants are evaluated exactly the same wayno matter what verifiers they connect to.


9-12: Password Authentication

• Passwords

– Passwords are strings of characters

– They are typed to authenticate the use of a username (account) on a computer

• Benefits

– Ease of use for users (familiar)

– Inexpensive because password authentication is built into operating systems



• Passwords Often are Weak (Easy to Crack)

– Word and name passwords are common

• Tomorrow, Bob, etc.

• These can be cracked quickly with dictionary attacks

– Hybrid dictionary attacks can crack simple variations, such as “Processing1” almost as fast



• Passwords should be complex

– Mix case (A and a), digits (6), and other keyboard characters ($, #, etc.)

– Can only be cracked with brute force attacks (trying all possibilities)

• Passwords should be long

– Eight characters minimum

– Each added character increases the brute force search time by a factor of about 70



• Tell what attack will crack the following passwords fastest, and strong each password is

– swordfish

– Processing1

– SeAtTLe

– R7%t&

– 4h*6tU9$^l



• Other Concerns

– If people are forced to use long and complex passwords, they tend to write them down

– People should use different passwords for different sites

• Otherwise, a compromised password will give access to multiple sites


9-13: Digital Certificate Authentication

• Public and Private Keys

– Each party has both a public key and a private key

– A party makes its public key available to everybody

– A party keeps its private key secret

• If there are 12 employees, how many private keys will there be?

• How many public keys will there be?



• Digital Certificate

– Tamper-proof file that gives a party’s name and public key

Name: Smith

Public Key: 8m27cj$leo62@lj*^l18dwk...

Other field

…

Tamper Checking Field



Calculation Digital Certificate

AuthenticationTest

2.Public key ofthe person

the applicantclaims to be

(the True Party)

1.Applicant

does a calculationwith his or her

private key

3.Verifier tests the calculation with the public key of the

claimed party (not the public key of the sender)

If the test succeeds, the applicant mustknow the secret private key of the claimed party, which

only the claimed party should know

2


Question

• What would happen if the verifier tested the calculation with an impostor’s public key instead of the public key of the true party?

9-44



• Perspective

– Digital certificate authentication is very strong

– However, it is very expensive because companies must set up the infrastructure for distributing public–private key pairs

– The firm must do the labor of creating, distributing, and installing private keys


9-14: Biometric Authentication

• Biometric Authentication

– Authentication based on bodily measurements

– Promises to eliminate passwords

• Fingerprint Scanning

– Dominates biometrics use today

– Simple and inexpensive

– Substantial error rate (misidentification)

– Often can be fooled fairly easily by impostors



• Iris Scanners

– Scan the iris (colored part of the eye)

– Irises are complex, so iris scanning gives strong authentication

– Expensive

• Face Recognition

– Camera: allows analysis of facial structure

– Can be done surreptitiously—that is, without the knowledge or consent of the person being scanned

– Very high error rate and easy to fool



• Error and Deception Rates

– Error and deception rates are higher than vendors claim

– The effectiveness of biometrics is uncertain


Figure 9-15: Firewall Operation

The border firewall examinesEach packet passing through it.

Ingress filteringEgress filtering

The border firewall examinesEach packet passing through it.

Ingress filteringEgress filtering



If the firewall identifies aPROVABLE attack packet,the firewall drops and logs

the packet in a log file.









If the firewall identifies a packetThat is not a provable attack packet,

The firewall passes the packet.

Even if the packet is suspicious,the firewall passes it.

If the firewall identifies a packetThat is not a provable attack packet,

The firewall passes the packet.

Even if the packet is suspicious,the firewall passes it.


9-16: Stateful Firewall Filtering

• Stateful Firewall Filtering

– There are several types of firewall filtering

– Stateful inspection is the dominant filtering method today

– Stateful firewalls often use other filtering mechanisms as secondary mechanisms



• States

– Connections often go through several states

– Connection opening, going communication, closing, etc.

– Different security actions are appropriate for different states

ConnectionOpening

State

OngoingCommunication

State

ConnectionClosingState



• Connection Initiation State

– State when packets attempt to open a connection

• Example: packets with TCP segments whose SYN bits are set

ConnectionOpening

State


State



9-17: Default Stateful Firewall Behavior for a Connection-Opening Attempt

Stateful firewalls have simple default behavior.

If an outside host attempts to open a connection,the firewall prevents the connection by default.

If an inside host attempts to open a connection,the firewall permits it by default.



• Connection Initiation State

– Access control lists can create exceptions to the default behaviors

– Access control lists (ACLs) (see Figure 9-18)

• ACLs modify the default behavior for ingress or egress

• Ingress ACL rules allow access to selected internal servers

• Egress ACL rules prevent access to certain external servers


9-18: Ingress Access Control List (ACL) for a Stateful Inspection Firewall

• 1. If protocol = TCP AND destination port number = 25, PASS and add connection to connection table

– This rule permits external access to all internal mail servers

– It is dangerous because there may be an unhardened mail server in company that the company does not know about



• 2. If IP address = 10.47.122.79 AND protocol = TCP AND destination port number = 80, PASS and add connection to connection table

– This rule permits access to a particular webserver (10.47.122.79)

– This is safer than opening a hole in the firewall for all webservers



• 3. Deny All AND LOG.

– If earlier rules do not result in a pass or deny decision, this last rule enforces the default rule of banning all externally initiated connection-opening attempts



• Packets in the Ongoing Communication State

– If the packet does not attempt to open a connection,

• Then if the packet is part of an established connection

– It is passed without further inspection– (However, these packets can be filtered if desired)

• If the packet is not part of an established connection, it must be an attack

– It is dropped and logged

ConnectionOpening

State


State




• Packets in the Ongoing Communication State

– Nearly all packets are part of the ongoing communication state

– So this simplicity makes the cost of processing most packets minimal

ConnectionOpening

State


State



Stateful Firewalls: Recap

All Packets

Connection-OpeningAttempts

Other Packets

Default Behavior

ACL Exceptions

Part ofPreviouslyPermitted

Connection

Not Part ofPreviouslyPermitted

Connection

Drop PacketAccept Packet



• Perspective

– Simple operation for most packets leads to inexpensive stateful firewall operation

– However, stateful inspection firewall operation is highly secure


9-19: Firewalls, Intrusion Detection Systems (IDSs), and Intrusion Prevention Systems (IPS)

Firewalls IDSs IPSsInspect Packets?

Yes Yes Yes

Action Taken Drop and log individual provable attack packets based on individual packet or connection inspections

Log multipacket attacks based on deep packet inspections (all layers above the data link layer) of streams of packet flows Notify an administrator of severe attacks but do not stop the attacks

Applies IDS processing methods—deep packet inspection and packet stream inspection but actually stops some attacks that have high confidence but are not provably attacks


9-19: Firewalls, Intrusion Detection Systems (IDSs), and Intrusion Prevention Systems (IPS)

Firewalls IDSs IPSsProcessing Power Required

Modest Heavy Heavy

Maturity Fairly mature Still immature with too many false positives (false alarms) Tuning can reduce false positives, but this takes a great deal of labor.

New. Only used to stop attacks that can be identified fairly accurately.


Cryptographic Protections

If cryptography is outlawed, only criminals will xji39&39j27$#23

9-66


9-20: Cryptographic Systems

• Cryptographic Systems

– Provide security to multi-message dialogues

• At the Beginning of Each Communication Session

– The two parties usually mutually authenticate each other

Party A Party B

Initial Authentication

A’s CredentialsTo B

B’s CredentialsTo A


• Message-by-Message Protection

– After this initial authentication, cryptographic systems provide protection to every message

– Encrypt each message for confidentiality so that eavesdroppers cannot read it


Party A Party BMessages Encrypted for Confidentiality

EavesdropperCannot Read Messages

© 2009 Pearson Education, Inc. Publishing as Prentice Hall 9-69

9-21: Symmetric Key Encryption for Confidentiality

Message“Hello”

Cipher &Key

SymmetricKey

Party A

Party B

Network

Encrypted Message

Encryption uses anon-secret cipher

(encryption method )and a secret key



Encrypted Message

SymmetricKey

Party A

Party B

InterceptorNetwork

Interceptor cannot readencrypted messages en route

because he or she doesnot know the secret key

Encrypted Message



Encrypted Message Message“Hello”

Cipher &Key

SymmetricKey

SameSymmetric

KeyParty A

Party B

InterceptorNetwork

Receiver decrypts the messageusing the same cipher

and the same symmetric key




– Adds an electronic signature to each message

• The electronic signature authenticates the sender

• It also provides message integrity: receiver can tell if a message has been changed in transit

Party A Party BElectronic Signature




– Digital signatures use digital certificate authentication

• Very strong authentication, but also very expensive

– HMACs (key-hashed message authentication codes) are less expensive

• They are not quite as secure as digital signatures, but are still quite secure

• The most widely used electronic signature method


9-22: Other Aspects of Protection

• Hardening Servers and Client PCs

– Setting up computers to protect themselves

• Server Hardening

– Back up so that restoration is possible

– Patch vulnerabilities

– Use host firewalls



• Client PC Hardening

– As with servers, patching vulnerabilities, having a firewall, and implementing backup

– Also, a good antivirus program that is updated regularly

– Client PC users often make errors or sabotage hardening techniques

– In corporations, group policy objects (GPOs) can be used to centrally enforce security policies on clients



• Vulnerability Testing

– Goal is to find vulnerabilities beforethe bad guys do

– Protections are difficult to set up correctly

– Protections may be deliberatelyviolated

– Vulnerability testing is attacking your system yourself or through a consultant

– There must be follow-up to fix the vulnerabilities


9-23: Incident Response

• Even with the best security, successful attacks sometimes happen

1. Detect the Attack

2. Stop the Attack

3. Repair the Damage

4. Punish the Attacker



• Major Attacks and CSIRTs

– Major incidents are those the on-duty staff cannot handle

– Computer security incident response team (CSIRT)

– Must include members of senior management, the firm’s security staff, members of the IT staff, members of functional departments, and the firm’s public relations and legal departments



• Disasters and Disaster Recovery

– Natural and humanly-made disasters

– IT disaster recovery for IT

• Dedicated backup sites and transferring personnel

• Having two sites that mutually back up each other

– Business continuity recovery

• Getting the whole firm back in operation

• IT is only one player



• Rehearsals

– Rehearsals are necessary for speed and accuracy in response

– Time literally is money


Topics Covered


Topics Covered

• The Threat Environment

– Many threats

– Malware: viruses versus worms, payloads, etc.

– Social engineering

– Spam, credit card theft, identity theft, adware, spyware

– Human Break-Ins

• Definition of hacking—authorization

• Scanning phase; the exploit

• After the Break-in: deleting log files, backdoors, damage at leisure


Topics Covered

• The Threat Environment

– Human attacks

• Denial-of-Service (DoS) attack with bots

– Traditional attackers

• Hackers, virus writers, script kiddies

• Disgruntled employees and ex-employees

– Criminal attackers now dominate the threat environment

– Cyberterror and cyberwar


Topics Covered

• Security Management

– Security is a management issue, not a technical issue

– The Plan-Protect-Respond Cycle

– Comprehensive security and centralized management

– Defense in depth

– Enumerating and prioritizing assets

– Asset control plans for individual assets: authentication, authorization, and auditing


Topics Covered


– Authentication

• Applicant and verifier

– Central authentication server for consistency

• Password authentication

– Poor password discipline is common– Passwords need to be long and complex

• Biometrics

– Fingerprint, iris, face, etc.– Error rates and deception


Topics Covered


– Authentication

• Digital certificate authentication

– Public key / private key pairs, digital certificates

– The strongest form of authentication (and most expensive)

– Applicant does a calculation using the applicant’s private key

– Verifier tests the calculation using the public key in the digital certificate of the party the applicant claims to be


Topics Covered

• Firewalls

– Filter, drop, or pass incoming and outgoing packets

– Stateful inspection firewalls

• Default rules for connection-opening attempts

• ACLs to modify the default rules

• Other packets—accept if part of previously approved connection

– Firewalls, IDSs and IPSs

• IPSs have the strongest filtering ability


Topics Covered

• Cryptographic Systems

– To protect streams of messages

– Initial authentication

– Public key encryption

– Message-by-message protections: encryption for confidentiality, digital signature for authentication and message integrity

– Symmetric key encryption


Topics Covered

• Hardening Clients and Servers

– A diverse set of actions

• Vulnerability Testing

• Incident Response

– Detecting the attack, stopping the attack, repairing the damage, punishing the attacker

– Major attacks and CSIRTs

– Disasters and disaster recovery


All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,

mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.

Copyright © 2009 Pearson Education, Inc. Copyright © 2009 Pearson Education, Inc. Publishing as Prentice HallPublishing as Prentice Hall

Documents

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Chapter 9 Updated January 2009 Raymond Panko’s Business Data Networks and Telecommunications,