Upload
paul-strassmann
View
432
Download
3
Embed Size (px)
DESCRIPTION
Citation preview
Internet Networks
AFCEA - Cyber Operations, Lecture #5
Paul A. Strassmann, George Mason University, 5/22/2012
1
Attacks on Cyber Security
Social Media Attacks
2
Cyber Security is Asymmetric
• A phony “Robin Sage”, easily masquerading as an employee of the Naval Network Warfare command, was able to accumulate in a few months 300 friends on LinkedIn, 110 on Facebook and had 141 followers on Twitter.
• She connected with the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the U.S. Marines and the a chief of staff for the U.S. House of Representatives.
3
A Social Media Cyber-Attack
1. The cybercriminal sets up a bogus profile, such as “Ana Maria”.
2. An encrypted malware string is coded as text and then uploaded into the bogus profile.
3. After the message enters into a customer’s machine it will search for the string, which will signal the beginning of the malware code.
4. The malware is then executed. If it is a Trojan or a bot, it can proceed to attack the customer’s computer or to propagate further.
4
Example of Bounties for Bug Catchers, by Google
$3,137 to Sergey Glazunov for bug 68666 $1,337 to Sergey Glazunov for bug 35724 $1,337 to Sergey Glazunov for bug 45400 $1,337 to Sergey Glazunov for bug 50553 $1,337 to Keith Campbell for bug 51630 $1,337 to Aki Helin from OUSPG for bug 59036 $1,337 to Sergey Glazunov for bug 65764 $1,337 to Sergey Glazunov for bug 70165 $1,000 to Tokuji Akamine for bug 30660 $1,000 to kuzzcc for bug 37383 $1,000 to Jordi Chancel for bug 40445
•http://dev.chromium.org/Home/chromium-security/hall-of-fame
•http://dev.chromium.org/Home/chromium-security/hall-of-fame
5
“Safe Browsing” Service- Two Factor Authentication
• Safe Browsing is a service provided by Google that enables applications to check URLs against Google's constantly updated lists of suspected phishing and malware pages.
• Here are some of the things you can do with the Safe Browsing service:
• Warn users before clicking on links that appear in your site when they lead to malware-infected pages.
• Prevent users from posting links to known phishing pages from your site.
• Check a list of pages against Google's lists of suspected phishing and malware pages.
6
Attacks on Cyber Security
Attack Prospects
7
Power of Microprocessors: A Historical Perspective
8http://www.jetpress.org/volume1/moravec.htm
Projected Development of Machine Intelligence
9
10
Outline of Internet Networks
Topology of Internet Networks
11
12
Internet Advantage
• Any properly configured computer can act as a host for a personal web-page.
• Any of several hundred million other computers can view that personal web-page.
• Any of several hundred million other computers can connect to another computer capable of delivering an information processing service.
13
Internet Liabilities
• 17,000+ partially secure, poorly connected networks with practically unlimited number of unverifiable points of access;
• The most frequently used security protocol (SSL- Secure Socket Layer) authenticates destination servers, but not the sending sources;
• Networks are mostly small, with large ISPs managing less than 10% of network traffic;
• Performance of the network depends on “peering relationships” between ISP (Information Service Providers), each providing network capacity and router switching capacity ;
• Delivery of packets cannot be guaranteed because network performance determined by routers that may not have sufficient capacity to handle traffic spikes.
Components of the Internet
• The (BGP) Border Gateway Protocol are ISP instructions for forwarding packets from one network link to another. BGP is unreliable if router tables are in error;
• Average broad-band web-page download time to LAN can be well over 0.5 seconds, if message “packet” traverses several “hops”;
• (DNS) Domain Name System can be compromised, by diversion of communications;
• Software robots (Botnets) can automatically proliferate and convey destructive software such as “worms”, “rootkits” or parasitic “malware” such as “Trojans” for finding “backdoors” into computers.
• Denial of service attacks can be launched.
Problems with Nets and Servers
• Capacity limitations for peak loads;• Congestion in access to data sources;• Excessive delays for global access;• Expensive to scale capacity for growth;• Problem not in bandwidth, but mostly in switching;• Depends on reliability and capacity of ISP “peers” to forward
data to the destination;• Conflicting economic interests among “peers” can inhibit
growth and performance.
16
Outline of Internet Networks
Structure of Internet Protocols
17
Layer 7: ApplicationApplication Services
Layer 6: PresentationData Representation
Layer 5: SessionInter-host Communications
Layer 4: TransportEnd-to-End Connectivity
Layer 3: NetworkPath Determination
Layer 2: Data LinkLink Reliability
Layer 1: PhysicalSignal Transmission
The Internet “Stack”
OSI Protocols
19
All Packets Traverse All Stack Layers
20
All Internet Transmissions in “Hops” (Total elapsed time 6 seconds)
21
From: [email protected] 7 Dec 2008 15:05:39
1. Received: from 48151 invoked from network
2. Received: from localhost (localhost [127.0.0.1])
3. Received: from rn-out-0910.google.com
4. Received: by rn-out-0910.google.com
5. Received: by 10.100.255.10
6. Received: by 10.100.124.12
7. Received: by 10.65.53.19
8. Received: from qs1473.pair.com
9. Received: from localhost [127.0.0.1]
10. Received: from mta3.srv.hcvlny.cv.net
11. Received: from [10.240.3.210]
Forwarded-To: [email protected] 7 Dec 2008 15:05:45
Above message = 29 “packets”
All Internet Transmissions via “Packets”
22
HeaderSource Address Destination
Address Data
What is in an IPv4 Internet Packet Header
• 4 bits that contain the version, that specifies IPv4 or IPv6 packet,• 4 bits that contain the length of the header,• 8 bits that contain the Type of Service - Quality of Service (QoS), • 16 bits that contain the length of the packet,• 16 bits identification tag to reconstruct the packet from fragments,• 3 bits flag that says if the packet is allowed to be fragmented or not,• 13 bits identify which fragment this packet is attached to,• 8 bits that contain the Time to live (TTL) number of hops allowed• 8 bits that contain the protocol (TCP, UDP, ICMP, etc..)• 16 bits that contain the Header Checksum,,• 32 bits that contain the source IP address,• 32 bits that contain the destination address.
23
What Drives Computing to “the Edge”?
24
LAN Connection2 “hops”Latency: 0.01 seconds
MIDDLE MILE : 8-20 “hops”TCP Retransmits at each “hop”
Latency: 0.1 to 0.5 seconds
Channel Connection1 “hop”
Latency: 0.001 seconds
LOCAL WORKSTATION
CENTRAL COMPUTER
24
“Middle Mile” In Transmission Takes Microseconds
25
26
Example: “Hops” from Desktop to Server
Outline of Internet Networks
IPv4 vs. IPv6
27
Is Conversion from IPv4 to IPv6 Necessary Now?
• Total capacity of IPv4 is 4.3 billion addresses.• Xerox, IBM, HP, Apple and Ford each have 16.8 million
addresses.• Xerox employment is 53,500.• DoD has available 134.2 million addresses
28http://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks
Current IPv4 vs. IPv6 Status
• IPv4 allows 32 bits for the Internet Protocol. • IPv6 uses a 128-bit address and supports a practically infinite
number of addresses.• As of the end of 2010 only 533 million unique IP addresses
have been assigned. • Though the USA currently has 26.4% of the global IP
population, it has obtained more than 50% of the IP addresses, while the quickly growing China is exhausting its allocation.
• There are enough IP addresses, on the average, except that they have been misallocated. An immediate rush into IPv6 in the USA cannot be justified.
29
Outline of Internet Networks
Virtual Private Networks
30
VPN Features
• VPN offers site-to-site connectivity• The protocols are used for “tunneling” the traffic• The tunnel's termination point unpacks the protocol.• VPN enables several levels of security.• Cryptographic tunneling protocols provide confidentiality by
blocking intercepts and packet sniffing.• VPN allows sender authentication to block identity spoofing,
and message alteration.
31
Examples of VPN Protocols
• “IPSEC” VPN protocol developed for IPv6. • Transport Layer Security (SSL/TLS) can tunnel complete
network traffic.• Datagram Transport Layer Security (DTLS), solves
Transmission Control Protocol (TCP) issues.• Special fixes offered by Microsoft:
– Microsoft Point-to-Point Encryption (MPPE).– Microsoft Secure Socket Tunneling Protocol (SSTP).
• Secure Shell (SSH) VPN – Offers secure tunneling for inter-network links.
32
Outline of Internet Networks
Network Switches
33
Internet Messages Pass Through Routers and Switches
34
RT
RT
RT
RT
RT
RT
RT
RT
RT
RT
RT
RT
RT= ROUTING TABLES
SWITCHROUTERS
SWITCH
Internet Switch that Connects ISPs
35
Principal Attack Scenarios on Internet Switches
• Flooding Attacks on a Switch• Address Resolution Spoofing• “Man-in-the-Middle” Attack• Denial of Service Attack• Switch Hijacking Attack• Spanning Tree Attack• The Root Claim Attack• Forcing Eternal Root Election Attack• VLAN Hopping Attack
36
Flooding Attacks on a Switch
• The Media Access Control (MAC) protocol defines for a switch what transmissions are allowed to access which connection.
• A switch will keep a Content Addressable Memory (CAM) table for identification of MAC destinations. CAM tables have a limited memory and will overflow.
• Attack tools that can auto generate +100,000 bogus entries per minute, which then overloads the switch so that it malfunctions.
37
VLAN Hopping Attack
• Virtual LANs (VLAN) make it possible to group users into logically separate networks.
• A switch partitions local area networks into isolated VLANs. The computers and peripherals are then restricted from communicating with each other.
• Separate subnets are compromised if an attacker manages to send across different zones (hopping). That will make VLAN subdivisions useless.
• For instance, a NIPRNET LAN could be used to initiate a denial of service against computers on SIPRNET.
38
Address Resolution Spoofing
• Attacker replaces the Address Resolution Protocol (ARP) cache on a switch with a forged mapping.
• It causes traffic to be redirected from the correct target to a target of the attacker’s choice.
• Allows an attacker to sniff the data flowing to a local area network. The traffic is then modified.
39
“Man-in-the-middle” Attack
• Adds a third party destination into the communications stream without the legitimate recipients being aware.
• The third party can extract passwords and confidential data.
40
Switch Hijacking Attack
• The switch will inject illegitimate connections that will pretend to be authentic.
• The added connections will take over control without the recipients being aware.
41
Spanning Tree Attack
• Allows the connection of multiple switches for LAN redundancy or as of spare links to form automatic backup paths.
• If the Spanning Tree Protocol (STP) is corrupted, communications will be re-routed to illegitimate links.
42
The Root Claim Attack
• Bogus bridge protocols are used to designate the attacker’s station as the new root bridge.
• Once in control a variety of malicious attacks can be launched by the attacker, including the sniffing of all messages for sensitive information and for passwords.
43
Forcing Eternal Root Election Attack
• Makes the network unstable by tampering with the Spanning Tree Protocol (STP) routing algorithm to keep searching for the root switch, without ever finding it.
• The network will be always in the root selection process, which will make the network unstable and potentially disabled.
44
Outline of Internet Networks
Network Routers
45
Juniper T4000 router-240 GBPS per slot
46
Internet Routers That Connect ISPs to Backbone Nets
47
Border Gateway Attacks
• The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. It maintains tables of networks that can be reached from routers.
• BGP makes routing decisions based on path availability, network policies and operating rules.
• The Border Gateway protocol does not assure data integrity and does not provide source authentication.
• BGP can be tampered with by making changes to the router software.
48
Principal Attack Scenarios on Internet Routers
• Promiscuous Mode Corruption• Router Table Attacks• Router Information Attacks• Shortest Path Attacks• Border Gateway Attacks• Border Gateway Poisoning
49
Corruption of Internet Routing Tables
• The rapid growth and fragmentation of Internet routing tables is the major threats to the integrity of Internet transmissions.
• Destination addresses are chosen by “routing tables”. If these routing tables get incorrect information, misrouting will occur.
• Routers tell packets of data which way to go. When an e-mail is sent from one private network to another, the router “decides” which packets should travel within the corporate private network and which should not.
http://pstrassmann.blogspot.com/2010/12/corruption-of-internet-routing-tables.html 50
Promiscuous Mode Corruption
• The router masquerade as a “super-user” with software control privileges. Many router operating systems make “super-user” privileges available for maintenance or for software updating reasons.
• The attacker uses the vendor instructions to acquire “super user” status.
• A promiscuous computer can monitor traffic to and from other computers on the Internet.
51
Router Table Attacks
• The content of a routing table update is continually modified to reflect changes in the configuration of the surrounding networks. An attacker will create messages that look legitimate and can be then inserted into the routing table.
• An attacker creates messages that look legitimate and can be then inserted into the routing table so that transactions can be redirected.
• Attacks on the routing table updates represent a high risk in the absence of a strong authentication mechanism. Password are insufficient for protecting military grade routers.
52
Router Poisoning Attacks
• Router poisoning is a method used to direct the formation of routing loops within networks.
• A “hop” count will indicate to other routers that a route is no longer reachable and should be removed from their respective routing tables.
• The desired destination for the packets will cease to function.
53
Shortest Path Attacks
• Each router passes the status of its links to its neighbors who in turn forward this information to other routers in the network.
• As result of such passing each router has the link information for all other routers and eventually has the picture of the entire network topology.
• In a compromised table the calculated shortest paths will be incorrect and the shortest paths will be purged.
54
Black Hole Attack
• By making use of router vulnerabilities, various kinds of attacks can be launched to compromise the routing through software changes.
• A special case is the “Black Hole” attack where the router directs a packet to a network where packets enter but do not come out.
Outline of Internet Networks
Domain Servers
56
What Are the DNS Servers?
• The Domain Name System (DNS) is a globally distributed service that is foundational to the way people use the Internet.
• DNS uses a hierarchical name structure, and different levels in the hierarchy are each separated with a dot ( . )
• Computers use the DNS hierarchy to translate human readable names like <www.amazon.com> into the IP addresses like 192.0.2.1 that INTERNET can use to route transactions to one another.
57
Principal Attack Scenarios on Domain Name System (DNS)
• Address Starvation Attack • Attacks Using Rogue Servers• Attacks Using Bogus Default Gateway• DNS Database with Malicious Records• DNS Spoofing With a Sniffer• DNS Flooding Attack• Spoofed Responses to a DNS Server• Buffer Overflow Attack• Denial of Service Attack
58
Outline of Internet Networks
Network Control
59
NOC Control Display
60
Seats Reserved for Countermeasure Specialists
61
Challenge
• How to automate monitoring, control and security tasks performed by >50,000 personnel now attending to computers at >500 server farms?
• How to migrate to a highly automated environment?
62
The Purpose of a Network Operations Center (NOC)
• To manage an automated network environment.• To function as the first line of defense for security.• To operate information warfare countermeasures.• To shift computing workloads to and from:
– Locked down internal production operations;– Test and Pre-production environments;– Internal “clouds” for legacy applications;– External “clouds” for fall back and added assets.
63
The NOC Becomes the Key to Net-Centricity
• Manages the migration from a device centric world to a customer centric world.
• Enables connecting from anywhere, by any means.• Offers access privileges only to authorized persons.• Allows purchasing of computer processing power
independent of circuit technology.• Makes it possible to associate computing services
according to a person’s roles or location.
64
Concept of Operations for Network Operations Center
65
• Network Operations Center (NOC) manages massively distributed virtual computers.
• The scale of NOC dictates the scope of information security safeguards.
• NOCs should be geographically distributed and redundant.
• The staffing of NOCs can offer huge economies of scale, depending on the capitalization of the staff.
• The NOC should include countermeasures as the first line of defence in the case of information warfare.
65
Security & Control Managed from the NOC
• Offers visibility into all machine resources and processes.
• Monitors and controls the execution of all applications.
• Set up traps for viruses, rootkits and malware before they can infect a system.
6666
Security Architecture Managed from the NOC
• Delivers a private network that is completely isolated from the public Internet except through a small number of controlled access gateways.
• Offers instant visibility of 100% of every network component (such as cabling, routers, switches, servers and end user appliances);
• Provides uninterrupted, redundant real-time monitoring of each transaction that is processed anywhere on the entire network;
• Offers instant switching of communications as well as of all computing assets to fall-back facilities to deliver.
6767
Example of NOC Operations
• NOCs account for every Internet Protocol (IP) address in the system, which includes all authorized desktops, laptops, smart-phones and RFIDs.
• Assuming insider attack, all network incidents, whether human or automatic, shall be followed up and documented for attack pattern analysis.
• Forensic and artificial intelligence methods will be applied to analyse attack patterns in the perpetual transactions library.
• Keeps inventories of LAN and WAN for identification of alternative paths under failure conditions.
6868
The Purpose of a Network Operations Center (NOC)
• To manage an automated network environment.• To function as the first line of defense for security.• To operate information warfare countermeasures.• To shift computing workloads to and from:
– Locked down internal production operations;– Test and Pre-production environments;– Internal “clouds” for legacy applications;– External “clouds” for fall back and added assets.
6969
Ultimate Purpose: NOCs Manage Connecting of the Clouds
• Extends Virtual Infrastructure beyond single data center • Uses secondary Data Center site for testing and overflow• Leverages geographically distributed resources • Rents resources from Service providers for capacity • Maintains IT Service Service Levels
Virtual Infrastructure
Resource Cloud
Test and Development Data Center
Primary Data Center
Virtual Infrastructure
7070
Software Defined Networks (SDN)
• SDN allows direct access to and manipulation of network devices such as switches and routers, both physical and virtual. It is the absence of an open interface to these devices that has led to the characterization of today’s networking devices as monolithic, closed, and mainframe-like. Protocol like SDN is needed to move network control out of the individual switches to centralized control software.
• SDN control software can control any SDN-enabled network device from any vendor, including switches, routers, and virtual switches. Rather than having to manage groups of devices from individual vendors, IT will be now able to use SDN-based orchestration and management tools to quickly deploy, configure, and update devices across the entire network.
71
The Future: Virtual Networks
72
Outline of Internet Networks
Performance Metrics
73
NOCs Obtain Independent Uptime and Latency Metrics
7474
From the NOC Monitoring & Control Every Server Possible
7575
NOC Software Enables Diagnosis of the Status of Servers
7676
Utilization of Servers Monitored and Controlled from NOC
7777
Visibility of Virtual Machines at the NOC
7878
79
VISA Credit Card Case
• >1.3 billion Visa cards in circulation;
• Accepted at >24 million input sources, >160 countries;
• >50,000 decision rules for interoperability;
• Interoperability in >50 languages;
• Cash access at >one million ATMs;
• Capable of processing >6,200 transactions a second;
• Global response time <0.25 seconds;
• Interoperable with >21,000 financial institutions;
• Global Systems Integration Staff of 200;
Amazon Global Network of Private Servers
• Ashburn, VA • Dallas/Fort Worth, TX• Los Angeles, CA• Miami, FL• New York, NY• Newark, NJ• Palo Alto, CA• Seattle, WA• St. Louis, MO
• Amsterdam• Dublin• Frankfurt• London
• Hong Kong• Tokyo• Singapore
80
AKAMAI, a Telecomm Infrastructure Manager
• Manages 35,000 servers.• Servers hosted with Internet Service Providers (ISP)• NOC has 12 operating staff.• Most of the Akamai intellectual capital is in their NOC.• 99.98% uptime for “End-to-End” connections.
– Performance is inclusive of server failures, connectivity failures and network downtime, measured on a 24/7 basis.
• Akamai has $800M in revenues.
81
Outline of Internet Networks
The Global Information Grid (GIG)
82
Origin of the Global Information Grid (GIG)
• In September 1992, Defense Management Report Decisions (DMRD) expanded DISA's role.
• DMRD 918 created the Defense Information Infrastructure (DII), now known as the Global Information Grid. At the same the Defense Information Systems Network was created to consolidate 122 DoD networks.
• DISA plans, designs, constructs, and analyzes the effectiveness of the U.S. military's cyberspace.
• DISA establishes the technological standards that make the GIG secure and reliable.
83
Large Internet Firms Offer Direct Links to Speed Connections_
84
26 Routers169 POP Switches
A 2004 Evaluation by the Government Accountability Office
• The most critical challenge ahead for DOD is making the GIG a reality.
• DOD has taken steps to define its vision and objectives for the GIG on paper.
• DoD is making heavy investments ($21 billion over 6 years) the GIG as well as on systems that dependent on the GIG.
• It is not known how DOD will meet GIG objectives.
85
SOURCE: GAO-04-858. 2004
DoD Policies on Building and Operating the GIG
86
GIG as the Cornerstone of Information Superiority
• GIG is the enabler of net-centric warfare.• The GIG makes up a secure, reliable network for
communications satellites, next-generation radios and military installations-based networks with expanded bandwidth.
• Increased budgetary pressures are starting to modify the term GIG.
• New concepts are emerging such as Cyberspace Operations which are revising what was the original version of GIG.
87
Required Reading
– The Internet’s Vulnerabilities Are Built Into Its Infrastructure, Paul A. Strassmann, November 2009
• http://www.afcea.org/signal/articles/templates/SIGNAL_Article_Template.asp?articleid=2109&zoneid=32
– Network-Centric Systems Need Standards and Metrics, Paul A. Strassmann, July 2009
• http://www.afcea.org/signal/articles/templates/SIGNAL_Article_Template.asp?articleid=2004&zoneid=32
– Can DoD Manage the Delivery of GIG Objectives?• http://pstrassmann.blogspot.com/2011/08/can-dod-manage-deliv
ery-of-gig.html
– Why the GIG Warrants Top Priority• http://pstrassmann.blogspot.com/2011/03/how-secure-is-virtual-
network.html
89
Class Assignment
• Write a >200 word analysis of one of the topics in the required reading list :
• Analysis to include:– Discussion of favorable and unfavorable views about the issue– Your personal summary conclusion and recommendations
90