VPN On Constructing the Environment of Secure Remote Office

Transcription

1 VPN On Constructing the Environment of Secure Remote Office Masakatu MORII Masami MOHRI 1. CINON CINON PERM (Privacy Enhanced information Reading and writing Management method) [6] Lamport CINON PERM Man in LAN the Middle attack Man in the Middle attack SAS(Simple And Secure password authentication protocol) [7] SAS Man in the Middle attack CINON PERM PERM Replay attack Denial of Service attack [8] [8] Replay IC attack Denial of Service attack USB OSPA (Optimal Strong-Password Authentication) OSPA VPN SAS IP-VPN VPN Impersonation attack SSL-VPN [9] SAS-2 IDS [10] IDP Intrusion Detection and Prevention 2.1 VPN VPN A ID ID H VPN [1][2] E S i 2. Lamport CINON PERM SAS OSPA SAS-2 [3, 4, 5, 6, 7, 8, 10] Lamport [3, 4] Lamport CINON (Chained One-Way Data Verification Method) [5] Lamport, Dept. of Information Science and Intelligent Systems, Faculty of Engineering, The University of Tokushima P i R i K i i P i A H h h(m) m L L(X) X A B : X A B X A = B : X A B X 2.2

2 A Request R0 (secure channel) K-1=h(R0 S) K0=h(h(K-1 S) R0) (secure channel) 1: H Generate R0 Store K-1, K0 A Check Ri by received h(ri Ki-1 Ki) and stored Ki-1, Ki. Service Request H Generate Ri Ri, h(ri Ki-1 Ki) Pi=h(Ri Ki) Compute P i by Ri and stored Ki. Check P i = Pi. Acceptance Message Store Ki+1=h(Ri h(pi Ki)). Store Ki+1=h(Ri h(pi Ki)) A Step R1 A H : Step R2 H = A : R 0 Step R3 A K 1 K 0 K 1 = h(r 0 S) K 0 = h(h(k 1 S) R 0 ) Step R4 A = H : K 1, K 0 Step R5 H K 1, K 0 A i Step A1 A H : Step A2 H A : R i, h(r i K i 1 K i ) Step A3 A R i K i 1, K i h(r i K i 1 K i ) R i P i = h(r i K i ) Step A4 A H : P i Step A5 H P i = h(r i K i ) P i = P i K i+1 = h(r i h(p i K i )) Step A6 H A : Step A7 A K i+1 = h(r i h(p i K i )) 2.4 Man in the Middle attack Replay attack Denial of Service attack Impersonation attack 2: Man in the Middle attack Man in the Middle (MIM) attack E 2 MIM attack E H R i A A H A R i E A A H E MIM attack 2.5 Replay attack Replay attack E Replay attack i E R i, h(r i K i 1 K i ) P i = h(r i K i ) i E R j = 0, j = 0, 1, 2,... K i+1 = h 2 (P i K i ) E P i K i K i+1 i + 1 0, h(k i K i+1 ) P i+1 = h(k i+1 ) E K i+1 h(k i K i+1 ) P i+1 = h(k i+1 ) E Replay attack 2.6 Denial of Service attack Denial of Service (DoS) attack E 2 DoS attack E A H

3 DoS attack E A H H A R i h(r i K i 1 K i ) A H P i P i = h(r i K i ) K i E h(r i K i 1 K i ) P i DoS attack : Impersonation attack Impersonation attack E E H A A Impersonation attack E E A H A E E i 1 i i + 1 A E i H H P i = h(r i K i ) P i H Impersonation attack CERT[12] Web,, JPCERT/CC Vendor Status Notes(JVN) [13] JVN, 3.1,, 3.2 CGI DNS IP DNS IP IP Web(HTTP) Mail(SMTP) DNS Windows WindowsOS 3 Windows

4 ( ) Web IP 80 URL HEAD / HTTP/1.0 Web Mail MX(Mail exchanger) 4: MX IP nslookup -type=mx 3 or IP MX MX MX 3.3 SMTP (TCP 25 ) Mail Web Apache (CGI ) DNS DNS IP nslookup -type=mx or IP DNS NS DNS DNS nslookup -type=txt -class=chaos version.bind. DNS or IP WindowsOS Windows Windows WindowsOS IP nmap -O Remote operationg system guess OS Windows Nessus[14] Nessus Windows Windows DNS MX NS DNS MX DNS, IP PostgreSQL CGI Perl 4 Web, Mail, DNS WindowsOS URL 4. IDS( Intrusion Detection System) IDS IDS IDS IDS IDS(Network-based IDS) [20, 21, 22] IDS IDS(Host-based IDS) [23, 24] IDS IDS 2 1 IDS IDS 2 IDS 1 IDS [25, 26] [27]

5 IDS IDS IDS IDS 2 [28]. () IDS IDS IDS IDS IDS 2 Center Management Type Intrusion Detection System( ) [29] 5 ( ) IDS IDS IDS 5: DB IDS 6: IDS DB IDS IDS IDS IP DB DB []

6 [**] [1:628:2] SCAN nmap TCP [**] 12/24-17:00: :1800 -> :23 TCP TLL:64 TOS:0x0 ID:39717 lplen:20 DgmLen:60 DF ******S* Seq: 0x16720CE3 Ack: 0x0 Win: 0x7D78 TcpLen: 40 TCP Pptions (5) => MSS: 1460 SackOK TS: NOP WS: 0 7: Snort 1) 2) 3) 4) 5) IDS [] [ ] IDS IDS [ DB] DB DB IDS IP/Port IP/Port DB 1 [] IDS DB IDS IDS IDS DB DB 7 Snort [] DB 3 IP IP DB 8: IP DB OS DB 8 IDS IDS, Step1) Step2) Step1 Step3).....

7 1: DB IDS IP Port IP Port Snort SCAN namap TCP TCP Snort SCAN fingerprint attempt TCP Snort TELNET Bad Login TCP Snort TELNET Bad Login TCP Snort DOS Jolt attack TCP DB DB B DB A 9: B Step4) Step3 Step5) Step2 Step4 10: Step3 Step5 Step2 Step OS Software Port Web IIS(Internet Information Service) WEB-IIS iissamples access WEB-IIS htimage.exe access WEB-IIS /iisadmpwd/aexp2.htr access WEB-IIS htimage.exe access WEB-IIS /iisadmpwd/aexp2.htr access

8 WEB-IIS iissamples access [10] T. Tsuji, T. Kamioka, and A. Shimizu, Simple And Secure password authentication protocol, ver.2(sas-2), IEICE Technical Report, OIS , vol.102, no.314, pp.7 11, Sep Software IIS - Software IIS - Port 80 - Port [11],,, 26 Vol.2, pp Dec [12] CERT: [13] JVN: WEB-IIS htimage.exe access - Software IIS - Software IIS - Port 80 - Port htimage.exe htimage.exe WEB-IIS /iisadmpwd/aexp2.htr access [14] Nessus: [15] Web Server Survey, com. [16] *.com mail exchanger survey yp.to/surveys/smtpsoftware4.txt [17] in-addr version distribution isi.edu/%7ebmanning/in-addr-versions.html [18] 2003 pp Oct Software IIS Software IIS Port 80 - Port 80 - htimage.exe aexp2.htr - aexp2.htr 11: htimage.exe awxp2.htr [1] Yoshiaki Shiraishi, Youji Fukuta and Masakatu Morii, Remote Access VPN with Port Protection Function by Mobile Codes, The 4th International Workshop on Information Security Applications(WISA2003), LNCS2908, pp.16 26, Jeju island, Korea, Aug , [2] Yoshiaki Shiraishi, Youji Fukuta and Masakatu Morii, Port Randomized VPN by Mobile Codes, 2004 IEEE Consumer Communications and Networking Conference(CCNC2004), Las Vegas, Nevada, USA, Jan. 5-8, [3] L. Lamport, Password Authentication with Insecure Communication, Commun. ACM, vol.24, no.11, pp , Nov [4] N. Haller, The S/KEY One-Time Password System, Proc. Internet Society Symposium on Network and Distributed System Security, pp , Feb [5] A. Shimizu, A Dynamic Password Authentication Method Using a One-way Function, System and Computers in Japan, vol.22, no.7, pp.32 40, [6] A. Shimizu, T. Horioka, and H. Inagaki, A Password Authentication Method for Contents Communication on the Internet, IEICE Trans. Commun., vol.e81-b, no.8, pp , Aug [7] M. Sandirigama, A. Shimizu, and M.T. Noda, Simple and Secure Password Authentication Protocol (SAS), IEICE Trans. Commun., vol.e83-b, no.6, pp , Jun [19] pp.- May [20] M. Roesch, Snort: Lightweight Intrusion Detection for Networks, Proc. of 13th Systems Administration Conference(LISA 99), pp , [21] P. Porras and P. Neumann, EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances, Proc. of 9th ACM Conference on Computer and Communications Security, pp , [22],,,, (IDS-M),, OFS99-15, pp.39 46, [23] Internet Security Systems, Inc., RealSecure intrusion detection system, [24] Tripwire, Inc., Tripwire, [25] KDDI,, available at [26] Internet Initiative Japan Inc., IIJ, available at [27] Y. Tachibana, H. Takeuchi, H. Kurauchi and M. Morii, Damage Analysis Support System for Illegal Access, Proc. of 7th World Multi-Corference on Systems, Cybernetics and Informatics(SCI2003), Jul [28],,,,,, 2002(CSS2002) pp , Oct [29] Y. Shiraishi, T. Kuribayashi and M. Morii, Center Management Type Intrusion Detection System, Proc. of 7th World Multi-Corference on Systems, Cybernetics and Informatics(SCI2003), Jul [30] Snort, Snort Rules Database, available at [31],,, 2004 pp., Jan [8] C.L. Lin, H.M. Sun, and T. Hwang, Attacks and Solutions on Strong-Password Authentication, IEICE Trans. Commun., vol.e84-b, no.9, pp , Sep [9] T. Tsuji and A. Shimizu, An Impersonation Attack on One- Time Password Authentication Protocol OSPA, IEICE Trans. Commun., vol.e86-b, no.7, pp , Jul