Systems and Network Security (NETW-1002)

Transcription

1 Systems and Network Security (NETW-1002) Dr. Mohamed Abdelwahab Saleh IET-Networks, GUC Spring 2017

2 Course Outline Basic concepts of security: Attacks, security properties, protection mechanisms. Basic operations: Randomness, cryptography, certification, etc. Security protocols and attacker models: Cryptanalysis, protocol analysis, algebraic models. Network security: Security policies, security assurance, access control policies. Protecting networks: Intrusion detection, firewalls, secure routing, etc. Security at the application layer: Examples of implementations.

3 Course information Evaluation: Assignments: 15% Quizzes: 10% Mid-term: 20% Project: 15% Final: 40% Schedule: Day Time Location Saturday 2:15 P.M. H8 Office hours: Saturday 11:00 A.M. - 2:00 P.M.

4 Textbooks: 1 C. Kaufman, R. Perlman, and M. Speciner. Network Security, Private Communication in a Public World. 2 nd Edition, Prentice Hall PTR. 2 E.Cole, R. Crutz, and J. Conley. Network Security Bible, Wiley Publishing Inc. 3 B. Schneier. Applied Cryptography, Wiley Publishing Inc. 4 W. Stallings. Cryptography and Network Security, Principles and Practices, 4 th Edition, Prentice Hall PTR.

5 The Big Picture Node A What sort of attacks? What security services? How to implement the services? Attacks rely on the capabilities of the intruder, so to investigate the attacks, we must model the intruder. Knowing the attacks, we can defend the network against them. Security services Security services Attackers Trusted servers Node B

6 What Can the Attacker Do? Attacker Model The attacker is the network, i.e., all network nodes exist in a hostile environment. The following is assumed: 1 The attacker monitors all network messages (eavesdropping). 2 The attacker can peform computations on messages, e.g., encryption, decryption. 3 The attacker is a legitimate network user. 4 The attacker can send messages to any user and receive messages from any other user. 5 The attacker can block messages. 6 The attacker can impersonate other users. Active and passive attackers: A passive attacker just monitors the network traffic without interrupting it. An active one is involved in message reception and/or transmission, i.e., items 3 5 in the list above.

7 Types of attacks Eavesdropping (passive attacks). Man-in-the middle attacks, i.e., opening parallel sessions with different network nodes. Impersonation attacks, i.e., pretend to be another network node. Replay attacks, i.e., store a sequence of messages and play it again later. Denial of Service (DOS) attacks. Cryptanalysis attacks, i.e., trying to break an encypted text. Password guessing (brute-force and dictionary attacks). Malware (viruses, worms, trojan horses, time bombs, back door) attacks. Software exploitation attacks, i.e., exploit a vulnerability. Timing attacks. Social engineering. etc.

8 Types of Malware The following are categories of malware. Malicious code may have more than one characteristic of the ones listed below: Viruses: It is malicious software, in the form of executable code that is attached to a legitimate computer program. Once it runs on a machine, it can self-replicate (copy itself) to other programs on the machine. Worms: It is a malicious computer program that spreads across a network causing harm and consuming resources. Trojan horses: It is a computer program that appears legitimate and harmless but has hidden malicious features. Time bombs (logic bomb): It is malicious code that causes dmamage when a certain event occurs or when a certain time is reached. Back door: It is a hidden entry point to software giving remote users access to the system without having proper authorization.

9 Examples of Attacks SYN Flood A B SYN SYN SYN SYN ACK A does not reply with ACK A uses the TCP three-way handshake to initiate many half-open connections. The TCP server is too busy to respond to other users. This is a Denial of Service (DoS) attack.

10 Examples of Attacks UDP Storm M echo A chargen B m 1 In this attack, A is running the echo protocol on port 7, while B is running chargen (character generator) on port 19. Both A and B use UDP. Therefore chargen will reply to any request by a random number. M the malicious node, sends message m 1 to B, with source IP=A, source port=7, and destination port=19. A and B will start bouncing messages off each other indefinitely.

11 Examples of Attacks Ping Attack M m 1 A The malicious node M, sends a broadcast echo message m 1 with destination IP=A to the network. A is then flooded with replies.

12 Examples of Attacks TCP Session Hijacking A M B Syn flood SYN, source=a, X A is SYN-flooded SYN ACK, X+1, Y ACK, X+1, Y+1 The malicious node M first attacks A by SYN flood then impersonates A. The success of this attack depends on M knowing Y. It can intercept messages or guess Y, in case there is a weakness in the algorithm for number generation.

13 Security Properties What properties do we want our network to have? Below are very simple intuitive definitions. Confidentiality: A message m should be revealed only to those parties who have the right to read it. Integrity: A message m should not be tampered with by an itruder. If an intruder tampered with the message, the receiver should be able to detect this. Availability: Sevices offered by the network should always be available to legitiamte users, i.e., the network should be imune against denial of service attacks. Authentication: Users should be able to verify the identity of other users communication with them. Non-repudiation: A user should not be able to deny sending (Non-Repudiation of Origin, NRO) or receiving (Non-Repudiation of Receipt, NRR) a message.