Protection of Communication Infrastructures

Transcription

1 Protectio of Commuicatio Ifrastructures Chapter Itroductio Threats, Security Goals & Requiremets Threat Aalysis System Security Egieerig Course Objectives & Overview A Short Advertisemet Before We Begi... :o) There is a additioal course etitled Simulative Evaluatio of Protocol Fuctios (project semiar, SWS) which is desiged to give you a hads-o experiece with etwork protocol fuctios ad simulatio studies: Itroduces a simulatio eviromet ad lets you add protocol fuctioality Studied protocol fuctios: forwardig, routig, (iterface queues), coectio setup, error-, flow- ad cogestio cotrol Requires good programmig skills Kowledge of C++ is a asset (but ot a pre-requisite) Allows you to obtai i-depth kowledge of topics covered i Telematics I ad the techiques ad art of simulatio studies because afterwards you did it! :o) Itroductio ad iscriptio: ,5:00 6:00, Room Z 0

2 Example: Evaluatio of TCP Cogestio Cotrol Motivatio: A Chagig World Mobile commuicatio etworks ad ubiquitous availability of the global Iteret have already chaged dramatically the way we commuicate, coduct busiess, ad orgaize our society With curret research ad developmets i sesor etworks ad pervasive computig, we are eve creatig a ew etworked world However, the beefits associated with iformatio ad commuicatio techology imply ew vulerabilities Icreasig depedece of moder iformatio society o availability ad secure operatio of commuicatio services

3 What is a Threat i a Commuicatio Network? Abstract Defiitio: A threat i a commuicatio etwork is ay possible evet or sequece of actios that might lead to a violatio of oe or more security goals The actual realizatio of a threat is called a attack Examples: A hacker breakig ito a corporate computer Disclosure of s i trasit Someoe chagig fiacial accoutig data A hacker temporarily shuttig dow a website Someoe usig services or orderig goods i the ame of others... What are security goals? Security goals ca be defied: depedig o the applicatio eviromet, or i a more geeral, techical way 5 Security Goals Depedig o the Applicatio Eviromet Public Telecommuicatio Providers: Protect subscribers privacy Restrict access to admiistrative fuctios to authorized persoel Protect agaist service iterruptios Corporate / Private Networks: Protect corporate / idividual privacy Esure message autheticity Protect agaist service iterruptios All Networks: Prevet outside peetratios (who wats hackers?) Sometimes security goals are also called security objectives 6

4 Security Goals Techically Defied Cofidetiality: Data trasmitted or stored should oly be revealed to a iteded audiece Cofidetiality of etities is also referred to as aoymity Data Itegrity: It should be possible to detect ay modificatio of data This requires to be able to idetify the creator of some data Accoutability: It should be possible to idetify the etity resposible for ay commuicatio evet Cotrolled Access: Oly authorized etities should be able to access certai services or iformatio Availability: Services should be available ad fuctio correctly 7 Threats Techically Defied Masquerade: A etity claims to be aother etity Eavesdroppig: A etity reads iformatio it is ot iteded to read Authorizatio Violatio: A etity uses a service or resources it is ot iteded to use Loss or Modificatio of (trasmitted) Iformatio: Data is beig altered or destroyed Deial of Commuicatio Acts (Repudiatio): A etity falsely deies its participatio i a commuicatio act Forgery of Iformatio: A etity creates ew iformatio i the ame of aother etity Sabotage (Deial of Service): Ay actio that aims to reduce the availability ad / or correct fuctioig of services or systems 8

5 Threats ad Techical Security Goals Techical Security Goals Masquerade Eavesdroppig Authorisatio Violatio Cofidetiality x x x Geeral Threats Loss or Modificatio of (trasmitted) iformatio Deial of Commuicatio acts Forgery of Iformatio Data Itegrity x x x x Accoutability x x x x Sabotage (e.g. by overload) Availability x x x x Cotrolled Access x x x Threats are ofte combied i order to perform a attack! 9 Architectural View of our Object to be Protected Network Edsystem Edsystem 5 5 Applicatio 55 Trasport Network Network Data Lik Data Lik Physical Physical Commuicatio i ed Protocol Architectures 0

6 Security Aalysis of ed Protocol Architectures Edsystem (Iitiator) Network Edsystem (Respoder)??? Dimesio : At which iterface could a attack take place? Security Aalysis of ed Protocol Architectures? 55 Applicatio 55? Trasport? Network Network? Data Lik Data Lik? Physical Physical Dimesio : I which layer could a attack take place?

7 Systematic Threat Aalysis o the Message Level A systematic security aalysis of a layered protocol architecture has to cosider the followig attackig techiques: Passive attacks: Eavesdroppig Active attacks: Delay of PDUs (Protocol Data Uits) Replay of PDUs Deletio of PDUs Modificatio of PDUs Isertio of PDUs Successful lauch of oe of the above attacks requires: There are o detectable side effects to other commuicatios (coectios / coectioless trasmissios) There are o side effects to other PDUs of the same coectio / coectioless data trasmissio betwee the same etities Security Aalysis of Commuicatio Ifrastructures O the precedig slides, the aalysis was basically cocetrated o potetial attacks o the trasmissio of iformatio Of equal importace, however, are attacks agaist the systems, that are part of or makig use of a commuicatio etwork: Ed systems Routers Importat ifrastructure servers: DNS, , WWW, file servers, etc. We, therefore, have to exted our aalysis framework: Dimesio S.: Which system could be attacked? Dimesio S.: Which compoet of the system is attacked (OS, protocol stack, applicatio process, etc.)? However, this itroduces a ew difficulty: A active etity (system) offers much more differet attackig opportuities tha a passive data object (like a PDU) It is, therefore, much harder to coduct a systematical aalysis

8 Towards Systematic Threat Aalysis Oe ot very systematic approach is producig of arbitrary threat lists by ay ad-hoc braistormig method Example: Hospital Iformatio System Corruptio of patiet medical iformatio Corruptio of billig iformatio Disclosure of cofidetial patiet iformatio Compromise of iteral schedules Uavailability of cofidetial patiet iformatio... Drawbacks of this approach: Questioable completeess of idetified threats Lack of ratioale for idetified threats other tha experiece Potetial icosistecies (e.g. disclosure vs. uavailability of cofidetial patiet iformatio i the example above) 5 Threat Trees: Oe Systematic Threat Aalysis Approach Defiitio: threat tree A threat tree is a tree with: odes describig threats at differet levels of abstractios, ad subtrees refiig the threat of the ode they are rooted at, where the child odes of oe ode give a complete refiemet of the threat represeted by the paret ode Techique for establishig threat trees: Start with a geeral abstract descriptio of the complete set of threats that exist for a give system (e.g. security of system X compromised ) Iteratively itroduce detail by gradually refiig the descriptio with care Each itroduced ode may itself become the root of a subtree further describig the threat represeted by the ode Evetually, each leaf ode of the tree provides a descriptio of a threat that ca be used for a (less arbitrary) threat list The mai idea of this techique is to postpoe the creatio of (arbitrary) treat lists as much as possible 6

9 Example: A Hospital Iformatio System Threat Tree Hospital System Threats Patiet Medical Iformatio No Patiet Medical Iformatio Life Threateig No Life Threateig Billig No Billig Disclosure Itegrity Deial of Service... It is importat that at each level of refiemet the child odes of a ode maitai demostrable completeess so that oe ca be cofidet that othig has bee missed (source: [Amo9]) 7 Iferrig Composed Threat i Threat Trees The child odes of oe ode ca actually be i differet relatios to their paret ode with the two most commo relatios beig: Disjuctio Cojuctio Threat Threat OR AND Subthreat Subthreat Subthreat Subthreat These relatios ca be used to ifer composed threat: Augmet odes with effort estimatios (e.g. easy, moderate, high) Ifer effort of a OR-related composed threat as the lowest effort value of its child odes (the attacker will most likely take the easy way...) For AND-related composed threats, the highest effort is iferred 8

10 Supportig System Security Egieerig with Threat Trees Whe augmeted with appropriate attributes (e.g. estimated criticality ad attacker effort for idividual threats), threat trees ca help to gai isight where to sped resources to decrease the overall system s vulerability: Threat OR Threat OR Subthreat A Criticality = Effort = Subthreat B Criticality = 6 Effort = Subthreat A Criticality = Effort = Subthreat B Criticality = 6 Effort = Risk = Risk = 6 Risk = Risk = The secod threat tree re-evaluates risk after some protective measure has bee take to icrease the attacker s effort for subthreat B I the above example, risk is assessed with the followig formula: Risk = Criticality / Effort 9 A High Level System Security Egieerig Process Specify system architecture: Idetify compoets ad iterrelatios Idetify threats, vulerabilities ad attack techiques: The threat tree techique provides help for this step Estimate compoet risks by addig attributes to the threat tree: However, removig subjectivity from iitial assessmets is ofte impossible ad other attributes tha criticality ad effort (e.g. risk of detectio) might have to be cosidered as well Prioritize vulerabilities: Takig ito accout the compoets importace Idetify ad istall safeguards: Apply protectio techiques to couter high priority vulerabilities Perform potetial iteratios of this process Re-assess risks of the modified system ad decide, if more iteratios are required 0

11 A High Level Model for Iteret-Based IT-Ifrastructure Private Networks Public Iteret Mobile Commuicatio Networks... Access Network Web-Server Network Maagemet DNS Server... ISP Networks Support Ifrastructure A High Level Threat Tree for Iteret-Based IT-Ifrastructure

12 Couterig Attacks: Three Priciple Classes of Actio Prevetio: All measures take i order to avert that a attacker succeeds i realizig a threat Examples: Cryptographic measures: ecryptio, computatio of modificatio detectio codes, ruig autheticatio protocols, etc. Firewall techiques: packet filterig, service proxyig, etc. Prevetive measures are by defiitio take before a attack takes place Detectio: All measures take to recogize a attack while or after it occurred Examples: Reactio: Recordig ad aalysis of audit trails O-the-fly traffic moitorig All measures take i order react to ogoig or past attacks Safeguards Agaist Iformatio Security Threats Physical Security: Locks or other physical access cotrol Tamper-proofig of sesitive equipmet Evirometal cotrols Persoel Security: Idetificatio of positio sesitivity Employee screeig processes Security traiig ad awareess Admiistrative Security: Cotrollig import of foreig software Procedures for ivestigatig security breaches Reviewig audit trails Reviewig accoutability cotrols Emaatios Security: Radio Frequecy ad other electromagetic emaatios cotrols Referred to as TEMPEST protectio

13 Safeguards Agaist Iformatio Security Threats Media Security: Safeguardig storage of iformatio Cotrollig markig, reproductio ad destructio of sesitive iformatio Esurig that media cotaiig sesitive iformatio are destroyed securely Scaig media for viruses Lifecycle Cotrols: Trusted system desig, implemetatio, evaluatio ad edorsemet Programmig stadards ad cotrols Documetatio cotrols Computer / System Security: Protectio of iformatio while stored / processed i a system Protectio of the computig devices / systems themselves Commuicatios Security: Protectio of iformatio durig trasport from oe system to aother Protectio of the commuicatio ifrastructure itself 5 Commuicatios Security: Some Termiology Security Service: A abstract service that seeks to esure a specific security property A security service ca be realised with the help of cryptographic algorithms ad protocols as well as with covetioal meas: Oe ca keep a electroic documet o a floppy disk cofidetial by storig it o the disk i a ecrypted format as well as lockig away the disk i a safe Usually a combiatio of cryptographic ad other meas is most effective Cryptographic Algorithm: A mathematical trasformatio of iput data (e.g. data, key) to output data Cryptographic algorithms are used i cryptographic protocols Cryptographic Protocol: A series of steps ad message exchages betwee multiple etities i order to achieve a specific security objective 6

14 Security Services Overview Autheticatio The most fudametal security service which esures, that a etity has i fact the idetity it claims to have Itegrity I some kid, the small brother of the autheticatio service, as it esures, that data created by specific etities may ot be modified without detectio Cofidetiality The most popular security service, esurig the secrecy of protected data Access Cotrol Cotrols that each idetity accesses oly those services ad iformatio it is etitled to No Repudiatio Protects agaist that etities participatig i a commuicatio exchage ca later falsely dey that the exchage occurred 7 Course Objectives The course Network Security (held every fall term) focuses o: Itroductio to iformatio security techology (icl. cryptology) Network security protocols to esure: Etity autheticatio Data cofidetiality & data itegrity Some established techiques to realize access cotrol i etworks This course takes a complemetary view o the followig aspects: Threats to ad measures for esurig availability Threats ad measures cocerig systems (beyod pure etwork security protocols which are more targetig trasmissio security) Measures for itrusio detectio ad respose Additioally, some case studies to be performed by studets (talks, potetially based o experimetatio) shall: provide backgroud ad guidelies o securig specific applicatios add a practical perspective to the gathered coceptual kowledge 8

15 Prelimiary Course Overview. Itroductio. Security Aware System Desig ad Implemetatio. Deial-of-Service Attacks ad Coutermeasures. Routig 5. DNS Security 6. Iteret Firewalls 7. Itrusio Detectio ad Respose 8. Security i Sesor Networks (Challeges i Costrait Eviromets) 9. Securig Group Commuicatios (if time permits) 0. Joit Discussio: Ope source vs. proprietary software: will ope source lead to more secure systems? 9 Geeral Course Bibliography [Amo9] E. Amoroso. Fudametals of Computer Security Techology. Pretice Hall. 99. [Amo99] E. Amoroso. Itrusio Detectio. Itrusio.Net Books, 999. [Cha95] Bret Chapma ad Elizabeth Zwicky. Buildig Iteret Firewalls. O'Reilly, 995. [For9b] Warwick Ford. Computer Commuicatios Security - Priciples, Stadard Protocols ad Techiques. Pretice Hall. 99. [Gar96] Simso Garfikel ad Gee Spafford. Practical Iteret & Uix Security. O'Reilly, 996. [GW0] M.G. Graff, K.R. va Wyck. Secure Codig. O Reilly, 00 [NN0] S. Northcutt, J. Novak. Network Itrusio Detectio - A Aalyst s Hadbook. secod editio, New Riders, 00. [SR] G. Schäfer, M. Rossberg. Netzsicherheit - dpukt.verlag, 676 Seite, Gebude, 9,90 Euro, 0. [VM0] J. Viega, G. McGraw. Buildig Secure Software. Addiso-Wesley, 00. 0