Network Security Lecture

Ubiquitous Network Embedded SystemSchool of Informatics, Walailak University

Computer Network Security

ICT-331 Computer Network 2, Semester 1/59 Chanankorn Jandaeng, [email protected]

http://cjundang.ubines.info

Chanankorn Jandaeng, Ph.D. -To push students over their boundary-

Course Description• Foundation of Network security; network design

consideration; network role based security such as proxy server and DNS server; management of information security; security management model; protection mechanism.

2


Outlines• Quiz (20%)• Overview of Computer Network (3) • Fundamental of Computer Network Security (6) • Threat and Security Attacking (6) • Access Control (3) • Examination (30%)• Cryptography (3) • Firewall (3) • Intrusion Detection/Prevention System (6) • Computer Forensics (6)

3


Grade Policy

4

Activity Credit (%)Attendance 5Test (5 x 5%) 25Individual Report 5Laboratory Examination 15Quiz ( 2 x 10%) 20Final Examination 30รวม 100

• More than 80% Get A • Lower than 40% Get F • Attendance less than 80% disallow to Quiz and

Examination


Book and Resources• Slide • N. Hoque and et. al. (2014), Network attacks: Taxonomy,

tools and systems, Journal of Network and Computer Applications, 40 pp 307-324.

• Todd Lammle,(2013), CCNA Routing and Switching: Study Guide, Sybex

5



Module 0 Overview of Computer Network


Outlines• Inter-networking basics • TCP/IP model • Ethernet Networking & Data Encapsulation • Three-Layer Hierarchical Model

80 -


Inter networking basicTodd Lammle,(2013), CCNA Routing and Switching: Study Guide, Sybex


A very basic network• Local Area Network via Hub • Collision Domain

100 -


Network Segmentation• Network Segmentation

• Routers, Switches, Bridges

110 -


LAN Traffic Congestions• Too many host in a collision or broadcast domain • Broadcast storms • Too much multicast traffic • Low bandwidth • Adding hubs for connectivity to the network • ARP broadcast

120 -


Broadcast Domain

130 -


Inter-networking Devices

140 -


TCP/IP MODEL


PROTOCOL SUITE

160 -


TELNET• Telnet is the chameleon of protocols—its specialty is

terminal emulation. • It allows a user on a remote client machine, called the

Telnet client, to access the resources of another machine, the Telnet server in order to access a command-line interface.

• Telnet achieves this by pulling a fast one on the Telnet server and making the client machine appear as though it were a terminal directly attached to the local network.

• This projection is actually a software image—a virtual terminal that can interact with the chosen remote host.

• A drawback is that there are no encryption techniques170 -


SECURE SHELL (SSH)• Secure Shell (SSH) protocol

• sets up a secure session that’s similar to Telnet over a standard TCP/IP connection and is employed for doing things like logging into systems, running programs on remote systems, and moving files from one system to another.

• And it does all of this while maintaining an encrypted connection.

180 -


FILE TRANSFER PROTOCOL (FTP)

• File Transfer Protocol (FTP) actually lets us transfer files, and it can accomplish this between any two machines using it. But FTP isn’t just a protocol; it’s also a program.

• FTP is used by applications. • As a program, it’s employed by users to perform file tasks

by hand. • FTP also allows for access to both directories and files

and can accomplish certain types of directory operations, such as relocating into different ones

190 -


FILE TRANSFER PROTOCOL (FTP)

• Users must then be subjected to an authentication login that’s usually secured with passwords and usernames implemented by system administrators to restrict access.

• You can get around this somewhat by adopting the username anonymous, but you’ll be limited in what you’ll be able to access.

200 -


HTTP• All those snappy websites comprising a graphics, text,

links, ads and so on rely on the Hypertext Transfer Protocol (HTTP) to make it all possible.

• It’s used to manage communications between web browsers and web servers and opens the right resource when you click a link, wherever that resource may actually reside.

210 -


HTTPS• Hypertext Transfer Protocol Secure (HTTPS) is also

known as Secure Hypertext Transfer Protocol. • It uses Secure Sockets Layer (SSL).

• It’s what your browser needs to fill out forms, sign in, authenticate, and encrypt an HTTP message when you do things online like make a reservation, access your bank, or buy something.

220 -


NetwoRK Time Protocol (NTP)• Network is used to synchronize the clocks on our

computers to one standard time source (typically, an atomic clock).

• Network Time Protocol (NTP) works by synchronizing devices to ensure that all computers on a given network agree on the time.

• This may sound pretty simple, but it’s very important because so many of the transactions done today are time and date stamped. • Network Monitoring System needs NTP

230 -


Domain Name System (DNS)

240 -


Dynamic Host Configuration Protocol

• Dynamic Host Configuration Protocol (DHCP) assigns IP addresses to hosts.

• It allows for easier administration and works well in small to very large network environments.

• Many types of hardware can be used as a DHCP server, including a Cisco router.

• DHCP server can provide: • IP address, Subnet mask, Domain name, Default gateway

(routers), DNS server address

250 -


Host-to-Host Layer Protocol• Host-to-Host layer is to shield the upper-layer applications

from the complexities of the network. • Transmission Control Protocol (TCP) • User Datagram Protocol (UDP)

260 -


Transmission Control Protocol (TCP)

• TCP takes large blocks of information from an application and breaks them into segments.

• It numbers and sequences each segment so that the destination’s TCP stack can put the segments back into the order the application intended.

• After these segments are sent on the transmitting host, TCP waits for an acknowledgment of the receiving end’s TCP virtual circuit session, retransmitting any segments that aren’t acknowledged.

270 -



• Before a transmitting host starts to send segments down the model, the sender’s TCP stack contacts the destination’s TCP stack to establish a connection.

• This creates a virtual circuit, and this type of communication is known as connection-oriented.

• During this initial handshake, the two TCP layers also agree on the amount of information that’s going to be sent before the recipient’s TCP sends back an acknowledgment. With everything agreed upon in advance, the path is paved for reliable communication to take place.

280 -



• TCP is a full-duplex, connection-oriented, reliable, and accurate protocol • but establishing all these terms and conditions, in

addition to error checking, is no small task. • TCP is very complicated, and so not surprisingly, it’s costly

in terms of network overhead.

290 -



• And since today’s networks are much more reliable than those of yore, this added reliability is often unnecessary.

• Most programmers use TCP because it removes a lot of programming work, • but for real-time video and VoIP, User Datagram

Protocol (UDP) is often better because using it results in less overhead.

300 -


TCP Segment Format

• Source port This is the port number of the application on the host sending the data, which I’ll talk about more thoroughly a little later in this chapter.

• Destination port This is the port number of the application requested on the destination host.

• Sequence number A number used by TCP that puts the data back in the correct order or retransmits missing or damaged data during a process called sequencing.

• Acknowledgment number The value is the TCP octet that is expected next.

310 -


TCP Segment Format

• Header length The number of 32-bit words in the TCP header, which indicates where the data begins. The TCP header (even one including options) is an integral number of 32 bits in length.

• Code bits/flags Controls functions used to set up and terminate a session. Window The window size the sender is willing to accept, in octets.

• Checksum The cyclic redundancy check (CRC), used because TCP doesn’t trust the lower layers and checks everything. The CRC checks the header and data fields.

320 -


User Datagram Protocol (UDP)• User Datagram Protocol (UDP) is basically the scaled-down

economy model of TCP, which is why UDP is sometimes referred to as a thin protocol.

• UDP does not sequence the segments and does not care about the order in which the segments arrive at the destination.

• UDP just sends the segments off and forgets about them. • It doesn’t follow through, check up on them, or even allow for

an acknowledgment of safe arrival—complete abandonment. Because of this, it’s referred to as an unreliable protocol. This does not mean that UDP is ineffective, only that it doesn’t deal with reliability issues at all.

330 -


UDP Segment

• Source port Port number of the application on the host sending the data

• Destination port Port number of the application requested on the destination host

• Length Length of UDP header and UDP data • Checksum Checksum of both the UDP header and UDP

data fields Data Upper-layer data

340 -


Key features of TCP and UDP

350 -


Port Number

360 -


Internet Layer Protocol• Internet Protocol (IP) • Internet Control Message Protocol (ICMP) • Address Resolution Protocol (ARP)

370 -


IP• Internet Protocol (IP) essentially is the Internet layer.

• It can do this because all the machines on the network have a software, or logical address called an IP address

• IP receives segments from the Host-to-Host layer and fragments them into datagrams (packets) if necessary.

• IP then reassembles datagrams back into segments on the receiving side.

380 -


IP• Each datagram is assigned the IP address of the sender

and that of the recipient. • Each router or switch (layer 3 device) that receives a

datagram makes routing decisions based on the packet’s destination IP address.

390 -


IP Header Format

• Version IP version number. • Header length Header length (HLEN) in 32-bit words. • Priority and Type of Service Type of Service tells how the datagram should

be handled. The first 3 bits are the priority bits, now called the differentiated services bits.

• Total length Length of the packet, including header and data. • Identification Unique IP-packet value used to differentiate fragmented

packets from different datagrams.

400 -


IP Header Format

• Flags Specifies whether fragmentation should occur. • Fragment offset Provides fragmentation and reassembly if the packet is too large to put

in a frame. It also allows different maximum transmission units (MTUs) on the Internet. • Time To Live The time to live (TTL) is set into a packet when it is originally generated. If

it doesn’t get to where it’s supposed to go before the TTL expires, boom—it’s gone. This stops IP packets from continuously circling the network looking for a home.

• Protocol Port of upper-layer protocol; for example, TCP is port 6 or UDP is port 17. Also supports Network layer protocols, like ARP and ICMP, and can referred to as the Type field in some analyzers. We’ll talk about this field more in a minute.

410 -


IP Header Format

• Header checksum Cyclic redundancy check (CRC) on header only.

• Source IP address 32-bit IP address of sending station. • Destination IP address 32-bit IP address of the station this

packet is destined for. Options Used for network testing, debugging, security, and more.

• Data After the IP option field, will be the upper-layer data.420 -


Protocol Number

430 -


ICMP• Internet Control Message Protocol (ICMP)• IP for many different services. • ICMP is basically a management protocol and messaging

service provider for IP. • Its messages are carried as IP datagrams. • ICMP packets have the following characteristics:

• They can provide hosts with information about network problems.

• They are encapsulated within IP datagrams.

440 -


ICMP error message

450 -


Address Resolution ProtoCOL (ARP)

460 -


IP Addressing

470 -


Reserved IP Address

480 -


Private IP Address

490 -


Ethernet Networking


Ethernet• Ethernet is a media access

• allow host on a network to share the same link’s bandwidth

• Ethernet is so readily scalable • Standard -> Fast -> Gigabit -> Ten Gigabit Ethernet

• Ethernet used both data link and physical layer

510 -


Collision Domain

520 -


A typical Network today

530 -


Broadcast Domain• How to break broadcast domain in switch

540 -


CSMA/CD• Carrier Sense Multiple Access with Collision Detection

• help devices share bandwidth evenly while preventing to devices from transmitting simultaneously on the same network medium.

550 -


CSMA/CD• A Jam signal informs all devices that collision occurred • The collision invokes a random back off algorithm • Each device on Ethernet segment stops transmitting for a

show time until its back-off timer expired • All hosts have equal priority to transmit after time expires

560 -


CSMA/CD• The ugly effects of having a CSMA/CD network sustain

heavy collisions • delay • low throughput • congestion.

570 -


Ethernet at the Data Link Layer• Ethernet Addressing

• Physical address, MAC Address

580 -


Ethernet Frame• Data Link

• to combine bits into bytes and bytes into frames • to encapsulate packet from network layer for transmission

on a type media access

590 -


Ethernet Frame

• Preamble An alternating 1,0 pattern provides a 5 MHz clock at the start of each packet, which allows the receiving devices to lock the incoming bit stream.

• Start Frame Delimiter (SFD)/Synch The preamble is seven octets and the SFD is one octet (synch). The SFD is 10101011, where the last pair of 1s allows the receiver to come into the alternating 1,0 pattern somewhere in the middle and still sync up to detect the beginning of the data.

600 -


Ethernet Frame

• Destination Address (DA) This transmits a 48-bit value using the least significant bit (LSB) first. The DA is used by receiving stations to determine whether an incoming packet is addressed to a particular node. The destination address can be an individual address or a broadcast or multicast MAC address. Remember that a broadcast is all 1s—all Fs in hex— and is sent to all devices. A multicast is sent only to a similar subset of nodes on a network.

• Source Address (SA) The SA is a 48-bit MAC address used to identify the transmitting device, and it uses the least significant bit first. Broadcast and multicast address formats are illegal within the SA field.

610 -


Ethernet Frame

• Length or Type 802.3 uses a Length field, but the Ethernet_II frame uses a Type field to identify the Network layer protocol. The old, original 802.3 cannot identify the upper-layer protocol and must be used with a proprietary LAN—IPX, for example.

• Data This is a packet sent down to the Data Link layer from the Network layer. The size can vary from 46 to 1,500 bytes.

620 -


Ethernet at Physical Layer• Ethernet standard

• 10Base-T • 100Base-TX • 100Base-FX • 1000Base-T • …

630 -


Ethernet at Physical Layer• Ethernet Cabling

64

UTP

0 -


Ethernet cabling

650 -


Rolled Cable

660 -


Fiber Optic

670 -


Data Encapsulation

680 -


PDU & ADDRESSING

690 -


THREE LAYER HIERARCHICAL MODEL

700 -


Module 1 Fundamental of Computer Network Security


Outlines• Challenges • Terminology • Identification and Authentication

721 -


Challenges


Why security is difficult?• Speed of Attacks

• Widely available of modern tools : Used to scan systems • To find weaknesses • Lunch attacks

• Most tools are automated • Easy to attack target systems

741 -


Why security is difficult?• Sophistication of attacks

• Security attacks are becoming more complex • Difficult to detect

• Faster detection of weakness• Newly discovered system vulnerability double annually

• More difficult for software developer to update their products

• Zero Day Attack

751 -


Why security is difficult?• Distributed attacks

• Multiple system can be used to attack against a single computer or network

• Impossible to stop an attack by identifying and blocking the source

• Difficult in patching

761 -


Terminology


Security• Security

• Security is about the protection of assets • Protective measures

• Prevention • Detection • Reaction

781 -


Computer Security• Computer Security

• Computer security deals with the prevention and detection of unauthorized actions by users of computer system

• The goal is to protect data and resources • Only an issue on shared systems

• Like a network or a time-sharing OS • No “global” solution

791 -


Computer Security• Computer security

• No absolute “secure” system • Security mechanisms protect against specific classes of

attacks • Network security

• Security of data in transit • Over network link/store-and-forward node • Security of data at the end point

• Files, Email, Hardcopies

801 -


Network Security vs Computer Security

• Attacks can come from anywhere, anytime • Highly automated (script) • Physical security measures are inadequate • Wide variety of applications, services, protocols

• Complexity • Different constraints, assumptions, goals

• No single “authority”/administrators

811 -


Security Objectives• To protect Confidentiality, Integrity, Availability • Confidentiality:

• Ensure that only authorized user can view data • Or no data is disclosed intentionally or unintentionally

821 -


Security Objectives• To protect Confidentiality, Integrity, Availability • Integrity:

• No data is modified by authorized person or software • No authorized changes are made by authorized person • Data remain consistent

831 -


Security Objectives• To protect Confidentiality, Integrity, Availability • Availability:

• service/data is available to authorized users

841 -


Security Mechanism & Service• Security Mechanism

• A mechanism that designed to detect, prevent, or recover from a security attack

• Security Service• A service that enhances the security of data processing

systems and information transfers • Makes use of one or more security mechanisms

851 -


Security Attack• Security Attack

• Any action that compromises security information

86

Attack on availability Attack on confidentiality

Attack on integrity Attack on authenticity

1 -


Terminology• Risk

• A measure of the cost of a realized vulnerability that incorporates the probability of a successful attack

• Risk Analysis • Provides a quantitative means of deterring whether an

expenditure on safeguards is warranted

871 -


Terminology• Spies

• A person who • Has been hired to break into a computer and steal

information • Do not randomly search for unsecured computers to

attack

881 -


Terminology• Cyberterrorist

• Terrorists that attack the network and computer infrastructure to • Deface electronic information (such as web sites) • Deny service to legitimate computer users • Commit unauthorized intrusions into system and

network that result in infrastructure outages and corruption of vital data

891 -


Identification and Authentication


Ident. and Authen.• Authentication Basics • Password • Biometrics

911 -


Authentication Basic• Authentication

• A process of verify a user’s identity • Two reason of authentication a user

• The user identity is parameter in access control decision (for a system)

• The user identity is recorded when logging security-relevant events in an audit trail

921 -


Authentication Basic• Authentication ▪ Binding of an identity to a principal (subject)

▪ An identity must provide information to enable the system to confirm its identity

931 -


Authentication Basic• Authentication ▪ Information (one or more)

• What the identity knows (such as password or secret information)

• What the identity has (such as a badge or card)

• What the identity is (such as fingerprints)

• Where the identity is (such as in front of a particular terminal)

941 -


Authentication Basic• Authentication process ▪ Obtaining information from the identity ▪ Analysis the data ▪ Determining if it is associated with that identity

▪ Thus authentication process is ▪ The process of verifying a claimed identity

951 -


Authentication Basic• Username and Password

• Very common and simple identities • Used to enter into a system • Username

• Announce who a user is • This step is called identification

• Password • To prove that the user is who claims to be • This step is called authentication

961 -


Authentication Mechanism• Password • Password Aging • One-Time Password

971 -


Password• Based on what people know • User supplies password • Computer validates it • If the password is associated with the user, the the user’s

identity is authenticated

981 -


Password• Choosing passwords

• Password guessing attack is very simple and always works !!

• Because users are not aware of protecting their passwords

• Password choice is a critical security issue

• Choose passwords that cannot be easily guessed

991 -


Password• Password defenses

• Set a password to every account • Change default passwords

• Password length

• A minimum password length should be prescribed • Password Format

• Mix upper and lower case symbols • Include numerical and other non-alphabetical system

1001 -


Password• Password Format

• Mix upper and lower case symbols • Include numerical and other non-alphabetical system

• Avoid obvious password

1011 -


How to improve password security?

• Password checking tools • Check password against some dictionary of weak

password • Password generation

• Utility in some system • Producing random password for users

• Password Aging

1021 -



• Password Aging • A requirement that password be changed after some

period of time • Requires mechanism

• Forcing users to change to a difference password • Providing notice of need to change • A user-friendly method to change password

1031 -



• One-Time Password • The password is validate for only one user

• Limit login attempt • A system monitors unsuccessful login attempt • Reacts by locking the user account if logging in process

failed

1041 -



• Inform user • After successful login a system display

• The last login time • The number of of failed login attempt

1051 -


Attacking password• Password guessing

• Exhaustive search (brute force) • Try all possible combination of valid symbol

• Dictionary Attack • Random Selection of password • Pronounceable and other computer-generated password • User selection password that base on account names,

user name, computer name

1061 -


Biometrics• The automated measurement of biological or behavioral

features that identifies a person • Method:

• A set of measurement of a user is taken when user is given an account

• When a user access the system • The biometric authentication mechanism identify the

identity

1071 -


Biometrics• Fingerprint • Voices • Eyes • Faces • Keystroke : interval, pressure • Combination

1081 -


Module 2 Network Attack: Taxonomy, Tools, and System N. Hoque and et. al. (2014), Network attacks: Taxonomy, tools and systems, Journal of Network and Computer Applications, 40 pp 307-324.


Outlines• Anomalies in network • Step in launching an attack • Launching and detecting attacks • Taxonomy of Attacks

1102 -


Anomalies in network• Anomalies are non-conforming interesting pattern

compared to the well-defined notion of normal behavior • Traffic anomalies in computer network:

• network operation anomaly • flash crowds • network abuse anomaly

• All these anomalies can be detected by analyzing the traffic volume transmitted from station to station

1112 -


Anomalies in network• Examples: DoS/DDoS, scan, worn, outage, ingress shift,

information gathering, passive attack, spoofing attack, man in middle, DNS cache poisoning

• All attacking cause damage and destruction to the network environment

• Anomalies can have large impacts on both performance and security. • network anomalies cause service degradation and

impact on network speed • network performance may suffer considerably.

1122 -


Step in launching an attack1. Information gathering:

• The attacker attempts to gather vulnerability information from the network with the hope that some of the information can be used to aid in the ensuing attack

1132 -


Step in launching an attack2. Assessing vulnerability:

• Based on the vulnerabilities learned in the previous step,

• the attacker attempts to compromise some nodes in the network by exploiting malicious code, as a precursor to the launching of attack(s).

1142 -


Step in launching an attack3. Launching attack:

• The attacker launches the attack on the target victim machine(s) using the compromised nodes.

1152 -


Step in launching an attack4. Cleaning up:

• Finally, the attacker attempts to eliminate the attack history by cleaning up all the registry or log files from the victim machine(s).

1162 -


Launching attacks• Before launching an attack, an attacker first attempts to

gather vulnerability information about the target system that may help in attack generation.

• An attacker scans the network using information gathering tools like nmap and finds loopholes in the system.

• Based on the gathered information, the attacker exploits some malicious code, possibly available on the network.

1172 -


Launching attacks• The malicious code may be used to first compromise hosts

in the network or it may be used to directly launch an attack and disrupt the network.

• There are many methods for launching an attack. • one may use Trojans or worms to generate an attack on a

system or a network. • Scanning or information gathering may be coordinated

with an attack and performed simultaneously. • One can also use attack launching tools such as Dsniff ,

IRPAS, Ettercap and Libnet to generate MAC attacks, ARP attacks or VLAN attacks.

1182 -


Launching attacks• The main purpose of the attacker in many cases is to

disrupt services provided by the network either by consuming resources or consuming bandwidth.

• These types of attacks can be launched using flooding of legitimate requests as in TCP SYN flooding, ICMP flooding and UDP flooding.

1192 -


Detecting an Attack• To detect an attack, one must know the characteristics of

an attack and its behavior in a network. • The network administrator needs a visualization or

monitoring system to observe differences between the characteristics of abnormal traffic and the normal.

• An attack can be detected from the traffic volume based on the packet header or network flow information.

1202 -


Detecting an Attack• However, such detection usually requires processing huge

volumes of data in near real- time. • Obviously, designing a real-time defense mechanism that

can identify all attacks is a challenging and quite likely impossible task.

• Most detection methods need some prior information about attack characteristics to use during the detection process.

1212 -


Detecting an Attack• The evaluation of these intrusion detection mechanisms or

systems is performed using misclassification rate or false alarm rate.

• To obtain satisfactory results, an IDS designer needs to be careful in choosing an approach, matching mechanism or any heuristic or in making assumptions.

• Approaches that have been able to obtain acceptable results include statistical, soft computing, probabilistic, knowledge-based and hybrid.

1222 -


Detecting an Attack• Detection systems are designed to protect the network from

different types of vulnerabilities • which may crash the network or may capture private or

secure information. • Deployment of an accurate and efficient anomaly detection

system demands appropriate design as per standard security requirements and risk analysis.

• The detection system can be either host based or network based.

1232 -

Chanankorn Jandaeng, Ph.D. -To push students over their boundary-1242 -


Detecting an Attack• A typical network structure with a protected LAN, a

demilitarized zone and a deployed IDS console. • A demilitarized zone (sometimes referred to as a perimeter

network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger untrusted network, usually the Internet.

• An attacker may launch an attack from various machines connected to the network either via wired or wireless media.

1252 -


Detecting an Attack• The increasing number of highly sophisticated attacks of

complex and evolving nature has made the task of defending networks challenging.

• The appropriate use of tools and systems can simplify the task significantly.

• This necessitates an awareness of the characteristics and relevance of these tools and systems, and their usage.

1262 -


Network Security Tools• People use different attack tools to disrupt a network for

different purposes. • Attackers generally target Web sites or databases as well

as enterprise networks by gathering information based on their weaknesses.

• In general, attackers use relevant tools for the class of attack they desire to launch.

• A large number of defense tools also have been made available by various network security research groups as well as private security professionals.

• These tools have different purposes, capabilities and interfaces.

1272 -


Taxonomy of Attacks


Taxonomy of Tools

1292 -


Sniffing Tools: Tcpdump• Tcpdump:

• Tcpdump is a premier packet analyzer for information security professionals.

• It enables one to capture, save and view packet data. • This tool works on most flavors of the Unix operating

system. • One can also use third party open source software, e.g.,

wireshark to open and visualize tcpdump captured traffic.

1302 -


Sniffing Tools: Tcpdump• Ethereal:

• Ethereal is a sniffing and traffic analyzing software tool for Windows, Unix and Unix-like OSs, released under the GNU license scheme.

• It includes two primary library utilities, • GTKþ, a GUI based library • libpcap, a packet capture and filtering library.

• Ethereal is also capable of reading the output of tcpdump and can apply tcpdump filters to select and display records satisfying certain parameters.

• Ethereal offers decoding options for a large number (>400) of protocols and is useful in network forensics.

1312 -


Sniffing Tools: Ethereal• Ethereal:

• Ethereal is a sniffing and traffic analyzing software tool for Windows, Unix and Unix-like OSs, released under the GNU license scheme.

• It includes two primary library utilities, • GTKþ, a GUI based library • libpcap, a packet capture and filtering library.

• Ethereal is also capable of reading the output of tcpdump and can apply tcpdump filters to select and display records satisfying certain parameters.

• Ethereal offers decoding options for a large number (>400) of protocols and is useful in network forensics.

1322 -


Sniffing Tools• Sniffing tools are not equally useful for all purposes all the time. • Their usefulness and importance depend on the user's

requirements and purpose at a certain point in time. • For example, one cannot use the Cain & Able to capture live

network traffic since it performs only password cracking. • Most people use tcpdump and libpcap as network sniffing tools

to capture all information in packets and store them in a file. • One can use the Nfsen and Nfdump tools for NetFlow traffic

capture whereas Gulp is used for packet level traffic capture. However, these tools also use tcpdump as an implicit tool for packet as well as NetFlow capture.

1332 -


Scanning Tools• A network scanning tool aims to identify active hosts on a

network, • to attack them, • to assess vulnerabilities in the network.

• It provides an overall status report regarding network hosts, ports, Its, etc.

1342 -


Scanning Tools: nmap• Nmap:

• This network mapping tool facilitates network exploration and security auditing.

• It can scan large networks fast, especially against single hosts. • It is effective in using raw IP packets to identify a large number

of useful parameters, • such as available hosts, services offered by the hosts, OSs

running, and use of packet filters or firewalls. • In addition to its use in security audits, network administrators

can use it for routine tasks such as maintaining network inventory, managing service upgrade schedules, and monitoring host or service uptime.

1352 -


Scanning Tools• For scanning a large network, one can use nmap as the most

effective tool. • Nmap has the ability to scan a large network to determine multiple

parameters such as active hosts and ports, host operating systems, protocols, timing and performance, firewall/IDS evaluation and spoofing, and IPv6 scanning.

• Due to its multiple functionalities, network administrators find it very useful to monitor a large network.

• Amap and Vmap do not support many of the functionalities performed by nmap.

• Attackers use namp to find the vulnerabilities in a host to compromise it for constructing BotNets during DDoS attack generation using the agent handler architecture.

1362 -


Attack Launching Tools• A large number of network security tools that use

cryptographic mechanisms to launch attacks are available on the Web.

• People can freely download these tools and can use them for malicious activities: • Trojan propagation, network mapping, probe attacks,

buffer overflow attacks, DoS/DDoS attacks, and application layer attacks.

1372 -


Attack Launching Tools• Such tools can be used to launch layer specific and

protocol specific attacks: • HTTP, SMTP, FTP or SNMP related attacks.

• Other tools can be used to launch DoS/DDoS attacks, • That can disrupt the services of a network or a Website

very quickly. • Some tools are used in wired networks to capture and

exploit valuable information while others are used in wireless networks.

1382 -


Trojans• Trojans are malicious executable programs developed to

break the security system of a computer or a network. • A Trojan resides in a system as a benign program file. • Once the user attempts to open the file, the Trojan is

executed, and some dangerous action is performed.

1392 -


Trojans• Victims generally unknowingly download the Trojan from

multiple sources: • Internet, FTP archive, peer-to-peer file exchange using

BitTorrent, Internet messaging. • Typically, Trojans are of seven distinct types:

• Remote access Trojans, Sending Trojans, Destructive Trojans, Proxy Trojans (e) FTP Trojans, Security software disable Trojans, DoS Trojans.

1402 -


Trojans• Remote access

• Trojans are malware programs that use back- doors to control the target machine with administrative privilege.

• These type of Trojans are downloaded invisibly with a user request for a program such as a game or an email attachment.

• Once the attacker compromises a machine, the Trojan uses this machine to compromise more machines to construct a BotNet for launching a DoS or DDoS attack.

1412 -


Trojans• Remote access

• An example of remote access Trojan is danger. • Sending Trojans are used to capture and provide

sensitive information such as passwords, credit card information, log files, e-mail addresses, and IM contact lists to the attacker.

• In order to collect such information, such Trojans attempt to install a keylogger to capture and transmit all recorded keystrokes to the attacker.

• Examples of this type of Trojans are Badtrans.B email virus, and Eblast.

1422 -


Trojans• Destructive Trojans

• Trojans are very destructive for a computer and often programmed to delete automatically some essential executable programs such as configuration and dynamic link library (DLL) files.

• Such Trojans act either • (i) as per the instructions of a back-end server, or • (ii) based on pre-installed or programmed instructions,

to strike on a specific day, at a specific time. • Two common examples of this type are Bugbear virus

and Goner worm.

1432 -


Trojans• Proxy Trojans

• Trojans attempt to use a victim's computer as a proxy server.

• A Trojan of this kind compromises a computer and attempts to perform malicious activities such as fraudulent credit card transactions, and launching of malicious attacks against other networks.

• Examples of proxy Trojans are TrojanProxy:Win32, Paramo.F.

1442 -


Trojans• FTP Trojans

• Trojans attempt to open port 21 and establish a connection from the victim computer to the attacker using the File Transfer Protocol (FTP).

• An example of FTP Trojan is FTP99cmp.

1452 -


Trojans• Security software disable Trojans

• Trojans attempt to destroy or to thwart defense mechanisms or protection programs such as antivirus programs or firewalls.

• Often such a Trojan is combined with another type of Trojan as a payload.

• Some examples are trojan.Win32.KillAV.ctp and trojan.Win32.Disable.b.

1462 -


Trojans• DoS Trojans

• Trojans attempt to flood a network instantly with useless traffic, so that it cannot provide any service.

• Some examples of this category of Trojan are ping of Death, and teardrop.

1472 -


Denial of Service (DoS)• Denial of service (DoS) is a commonly found, yet serious

class of attack caused due to an explicit attempt of an attacker to prevent or block legitimate users of a service from using desired resources.

• Such an attack occurs in both distributed as well as in a centralized setting. • SYN flooding, smurf, fraggle, jolt, land, and ping-of-

death.

1482 -


Denial of Service (DoS)• A Distributed Denial of Service (DDoS) attack is a

coordinated attempt on the availability of services of a victim system or a group of systems or on network resources, launched indirectly from a large number of compromised machines on the Internet.

• Typically, a DDoS attacker adopts an m : 1, i.e., many compromised machines to a single victim machine or an m : n approach that makes it very difficult to detect or prevent.

• A DDoS attacker normally initiates such a coordinated attack using either an architecture based on agent handlers or Internet relay chat (IRC).

1492 -


Denial of Service (DoS)• The attacking hosts are usually personal computers with

broadband connections to the Internet. • These computers are compromised by viruses or Trojan

programs called bots. • These compromised computers are usually referred to as

zombies. • The actions of these zombies are controlled by remote

perpetrators often through • (a) BotNet commands and • (b) a control channel such as IRC.

• Generally, a DDoS attack can be launched using any one of the following ways.

1502 -


Classification of DoS• By degree of automation:

• The attack generation steps such as recruit, exploit, infect, and use phase can be performed in three possible ways: • manual, automatic, and semi-automatic.

• By exploited vulnerability: • The attacker exploits the vulnerability of a security system to

deny the services provided by that system to legitimate users. • In semantic attacks, it exploits a specific feature or

implementation bug of some protocols or applications installed in the victim machine to overload the resources used by that machine.

• An example of such attack is the TCP SYN attack.

1512 -


Classification of DoS• By attack network used:

• To launch a DDoS attack, an attacker may use either an agent handler network or an IRC network.

• By attack rate dynamics: • Depending on the number of agents used to generate a

DDoS attack, the attack rate may be either a constant rate or a variable rate attack.

• Besides these, an increasing rate attack and a fluctuating rate attack can also be mounted using a rate change mechanism.

1522 -


Classification of DoS• By victim type:

• DDoS attacks can be generated to paralyze different types of victims.

• Example include application attacks, host attacks, network attacks, and infrastructure attacks.

• By impact: • Based on the impact of a DDoS attack, it may be either a

disruptive or a degrading attack. • By agent:

• A DDoS attack can be generated by a constant agent set or a variable agent set.

1532 -


Packet forging attack tools• Packet forging tools are useful in forging or manipulating packet

information. • An attacker can generate traffic with manipulated IP addresses

based on this category of tools. • Nemesis is widely used to generate custom packets using different

protocols. • It supports most protocols such as ARP, DNS, ICMP, IGMP, IP,

OSPF, RIP, TCP and UDP. • This makes it very effective compared to other tools. Other

advantages of this tool are that: • anyone can generate custom packets from the command

prompt or using shell scripts in a system, • attackers find it very useful to generate attack packets.

1542 -


Application Layer Attack• The attacker uses legitimate application layer HTTP

requests from legitimately connected network machines to overwhelm a Web server.

• The application layer attack may generate a session flooding attack, request a flooding attack or an asymmetric attack.

• Application layer DDoS attacks are more subtle than network layer attacks and the detection of application layer attacks is difficult because they use legitimate protocols and legitimate connections.

• Examples: HTTP-related attacks, SMTP-related attacks, FTP-related attacks, SNMP-related attacks.

1552 -


Fingerprinting attack tools • Fingerprinting tools are used to identify specific features of

a network protocol implementation by analyzing its input and output behavior.

• The identified features include protocol version, vendor information and configurable parameters.

• Fingerprinting tools are used to identify the operating system running on a remote machine and can also be used for other purposes.

1562 -


Fingerprinting attack tools • Existing fingerprinting tools show that implementations of

most key Internet protocols such as ICMP, TCP, TELNET and HTTP have bugs.

• Network administrators can use remote fingerprinting to collect information to facilitate management, and an intrusion detection system can capture the abnormal behavior of attackers or worms by analyzing their fingerprints.

1572 -


User Attack Tools• In user attacks, either the attacker

• attempts as a normal legitimate user to gain the privileges of a root or superuser, or

• attempts to access a local machine by exploiting its vulnerabilities without having an account on that machine.

• Both types of attempts are very difficult to detect because their behavior resembles normal characteristics.

• We discuss these attacks by category along with launching tools.

1582 -


U2R Attack• The attacker initially attempts to gain access to the local

victim machine as a legitimate user. • The means may be a password sniffing attempt, dictionary

attack, or any social engineering approach. • The attacker then explores possible vulnerabilities or bugs

associated with the operating system running on the victim machine to perform the transition from user to superuser or root level.

• Once root privileges are acquired, the attacker possesses full control of the victim machine to install backdoor entries for future exploits, manipulate system files to gather information, and other damaging actions.

1592 -


U2R Attack

1602 -


U2R Attack• Two well-known U2R attack tools are described next.

• Yaga: This tool is used to create a new administrator account by compromising registry files. The attacker edits the registry file to crash some system services on the victim machine and create a new administrator account.

• SQL attack: Here, the attacker creates a TCP connection with an SQL database server on a Unix machine. The database shell exits when a special escape sequence is issued and the root shell of the machine is started by running the Perlmagic3 script.

1612 -


R2L Attack• A remote attacker, without an account on a local machine,

attempts to send packets to that machine by gaining local access based on the vulnerabilities of that machine.

• To gain access to the local machine, the attacker attempts various ways.

• Two such ways are • using online and offline dictionary attacks to acquire the

password to access the machine, and • making repeated guesses at possible usernames and

passwords.

1622 -


R2L Attack

1632 -


R2L Attack• The attacker also attempts to take advantage of those

legitimate users who are often casual in choosing their passwords.

• Below are two R2L attack tools.

• Netcat: This R2L attack tool uses a Trojan program to install and run Netcat on the victim machine at port number 53. The Netcat program works as a backdoor to access the machine using Netcat port without any username and password.

• ntfsdos: The attacker gains the console of a WinNT machine by running ntfsdos. The program mounts the machine's disk drives. Thus the attacker is able to copy secret files on the secondary media.

1642 -

Chanankorn Jandaeng, Ph.D. -To push students over their boundary-1652 -



Module 3 Access Control


Outlines• Overview of Access Control • Access Control Methods

1683 -


Overview of Access Control


Overview of Access Control• What is Access Control?

• The ability to allow only authorized users, programs or processes system or resource access

• The granting or denying, according to a particular security model, of certain permissions to access a resource

• An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.

• Access control is the heart of security

1703 -


Example of Access Control• Social Networks:

• In most social networks, such as Facebook and MySpace, some of your personal information can only be accessed by yourself

• some can be accessed by your friends, and some can be accessed by everybody. The part of system that implements such kind of control is doing access control.

1713 -


Example of Access Control• Web Browsers:

• When you browse a web site, and run JavaScript code from that web site, the browser has to control what such JavaScript code can access, and what it cannot access.

• For example, a code from one web site cannot access the cookies from another web site, and it cannot modify the contents from another web site either.

• These controls are conducted by the browser’s access control.

1723 -


Example of Access Control• Operating Systems:

• In an operating system, one user cannot arbitrarily access another user’s files

• a normal user cannot kill another user’s processes. • These are done by operating system access control.

1733 -


Example of Access Control• Memory Protection:

• In Intel 80x86 architecture, code in one region cannot access the data in another more privileged region

• This is done by the access control implemented in the CPU (e.g. 80386 Protection Mode).

1743 -


Example of Access Control• Firewalls:

• Firewalls inspect every incoming (sometimes outgoing) packet, • if a packet matches with certain conditions, • it will be dropped by the firewalls, preventing it from

accessing the protected networks. • This is also access control.

1753 -


What should we learn about access control?

• Access Control Policy Models • how access control policies are configured and

managed. • Discretionary Access Control (DAC) • Mandatory Access Control (MAC)

1763 -



• Access Control Mechanism: • how access control is implemented in systems.

• Access Control Matrices • Access Control List • Capability • Role-Based Access Control

1773 -



• Design Principles: • what are the useful principles that can guide the design

and contribute to an implementation that is strong in security.

• Building a protection system is like building a bridge. • We never ask people without civil engineering training

to build a bridge for us, because we know that to build a bridge, we need to follow some civil engineering principles.

1783 -


DAC: Discretionary Access Control

• Definition: • An individual user can set an access control mechanism

to allow or deny access to an object. • Relies on the object owner to control access. • DAC is widely implemented in most operating systems, and

we are quite familiar with it. • Strength of DAC: Flexibility: a key reason why it is widely

known and implemented in main-stream operating systems.

1793 -


MAC: Mandatory Access Control• Definition:

• A system-wide policy decrees who is allowed to have access; individual user cannot alter that access.

• Relies on the system to control access. • Examples: The law allows a court to access driving records

without the owners’ permission. • Traditional MAC mechanisms have been tightly coupled to

a few security models. • Recently, systems supporting flexible security models start

to appear (e.g., SELinux, Trusted Solaris, TrustedBSD, etc.)

1803 -


Access Control Method


Access Control Methods• Access Control Matrices

• a simple framework for describing a protection system by describing the privileges of subjects on objects. • Subject can be users, processes, agents, groups • Objects can be data, memory banks, other processes • Privileges(permissions, rights) can be read, write,

modify,

1823 -



• a triple(S, O, M) • where S is a set of subjects, O set of object and M is a

matrices defining the privileges/rights of a subject s ∈ S on an object o ∈ O

1833 -



• M provide a basis for different possible enforcement mechanism : • Access control list • Capacities list

• Disadvantage: • In a large system, the matrix will be enormous in size

and mostly sparse.

1843 -


Access Control Methods• Access Control List

• The column of access control matrix. • Advantage:

• Easy to determine who can access a given object. • Easy to revoke all access to an object

• Disadvantage: • Difficult to know the access right of a given subject. • Difficult to revoke a user’s right on all objects.

• Used by most mainstream operating systems.

1853 -


Access Control Methods• Access Control List• ACL is usually used for DAC. • It is compact and easy to review,

deleting an object is simple but for subjects is more difficult.

1863 -


Access Control Methods• Capability List

• The row of access control matrix. • A capability can be thought of as a pair(x,r) where x is the name

of an object and r is a set of privileges or rights. • Advantage:

• Easy to know the access right of a given subject. • Easy to revoke a users access right on all objects.

• Disadvantage: • Difficult to know who can access a given object. • Difficult to revoke all access right to an object.

• A number of capability-based computer systems were developed, but have not proven to be commercially successful.

1873 -


Access Control Methods• Capability List

1883 -


RBAC

1893 -


Access Control List Examples• UNIX ACL

• Abbreviations of Access Control Lists: • Three classes: owner, group, other users • Full Access Control Lists

1903 -


Access Control List Examples• Windows NT

• Generic rights: No access, Read, Change, Full control. – Built-in Groups (each has different privileges)

• Everyone: all users • Interactive: users logged on locally • Network: users logged on over the network • System: the operating system • Creator / Owner: creator or owner of a file or a resource

1913 -


Access Control List Examples• Social networks

• Most social networks use ACL as its main access control model. Users can specify who can access their profiles, friend lists, etc.

1923 -