Chapter 7 Network Security

Transcription

1 Problem Statement Chapter 7 Network Security Network security is an overall consideration problem. Network hackers may make use of weakness or security holes to the attack system if there is any problem within system. For example, virus of Code Red and Nimda adopt the Distributed Denial of Service to attack the system hosts and thus paralyze the network and stop the service of the target. The key problem of the example is due to the Microsoft IIS system has security hole to make network hacker to attack it. Nowadays, since the information networks develop rapidly, it is necessary to understand the terms of System Security or Network Security, then further work for system protection. Consequently, making the network system more robust and safer to avoid the hackers intrude systems. Although, we make sure the system is complete protection by firewall or security-hole free, the system may suffer from attacking of Denial of Service and result in it can't continue to provide the service normally. That reveals the importance and the necessity of the network security. This goal of this chapter is how to protect the security of computer systems in such a complicated environment in Today s Internet and networks. Therefore, we describe that in detail in three aspects, including data security, fire wall system, and intrusion detection system (IDS). 7.1 General Issues As the number of E-Transactions via networks increasing, the security issue of sending sensitivity data, including banking account, password, credit card number, and secure content of E-Transaction, becomes more and more attentative and critical. For instance, someone wants to intercept these sensitivity data for recording, analyzing, reproducing, or spoofing. Then the network security problem will suffer to be challenged. After all, the network only provides people another media with the purpose for exchanging information, data commutation, and electronics trade. If the 1

2 network security can't guarantee completely, the amount of E-Transaction by networks will be restricted. In network security, we always explain the data flow with three virtual persons: Alice (represented as sender A), Bob (represented as receiver B) and Trudy (represented as intruder T). For example, the Alice wants to send data to Bob under without any the protection networks. The transmitted plaintext between Alice and Bob may be read and collected easily by the intruder Trudy. If Trudy has the greed and techniques, Trudy may be reproduced, modified, and spoofed these data. Because network has the characteristic of remote site invisible. When the falsification data arrives at Bob, Bob receives the data undoubtly and normally as it comes from Alice. To avoid the situation occurs, some prevention processes have to adopt to secure the senstitive data before sending it. Several processing of network security will be described in detail in the following sections in this chapter. Now we first introduce some emphases of each section. Cryptograph Theory Firstly, we begin with the traditional theory of data cryptograph. In crytograph theory, a common key is used to encrypt and decrypt data, which is called Symmetric Encryption or Single-key encryption system. Since the private key and the public key are the same one, how to distribute this key efficient and secure is an important issue. As a consequence, in 1976, Diffie and Hellman proposed the encrypted method of Asymmetric Encryption. The goal of such an asymmetric encryption is adopted different key to encrypt and decrypt data. Therefore, the key distribution in networks becomes more easy and secure. There are several representive systems for the two kinds of encryption systems in nowadays networks. For instance, Data Encryption Standard (DES) and International Data Encryption Algorithm (IDEA) is based on the symmetric encryption, on the other hand, RSA is based on the asymmetric encryption. Authentication In network communication, since the Sender Alice and Receiver Bob are located at different site, they can't be identified the other like by face to face confabulation and can not be recognized the other like by phone talking can recognize the other party with the voice. This is also a special characteristic of remote site un-visible in 2

3 networks. Therefore, how to authenticate both of sender and receiver correctly is an important issue in network transaction. We will have detail description about digital authentication in this chapter. Data Integrity Even though both of the sender Alice and receiver Bob are authenticated normally, they still can not ensure that the original data did not be modified, spoofed, and malicious forged. In Section we will introduce the technique of how to ensure the characteristic of data integrity. Secure Socket Layer Protocol (SSL) and Secure Electronic Transaction standard (SET) How to achieve the secure network transactions if all of above mentioned security processes are satisified? In Section , we first explain how the Secure Socket Layer Protocol (SSL) works for the security mechanism of transferring encrypted data. Since SSL can not provide fully mechanism of exchanging secure data, we have to introduce the Secure Electronic Transaction standard (SET) and explain the operations of SET. Both of SSL and SET are the required technique of security mechanisms for the application of Electronic Commerce. IP Security (IPSec) Since the beginning operation of Internet from 70 s, the Internet users are most of some specified organizations, including Acadmeics, Governments, and Organizations, and the amount user of Internet are very stable. Nevertheless in the beginning of 90 s, the amount user of Internet increases significantly due to the new era opening of World Wide Web (WWW). Hence, so-called Internet Security Protocol (IPSec) was proposed by IETF for supporting two types of security protocols, which are based on IP Network Layer and listed as follows. Authentication Header (AH) Protocol Encapsulation Security Payload (ESP) Protocol The AH protocol provides the authentication of source node and data integrity. On the other hand, but on the other hand the ESP protocol supports complete 3

4 authentication, data integrity, and security mechanism; relatively, the processing complexity of ESP is more complicated than that of AH. The description of the IPSec protocol and its application, Virtual Private Network (VPN), will be explained in detail in Section Firewall For achieving the purpose of network security in a Local Area Networks (LAN), a good method is to impose the mechanisms of access control onto the border node that is located between the outside networks and this LAN. With the access control mechanism, the forwarding frames are monitored by the border node. More specificed, the goal of Firewall is to set some rules for allowing/denying networks. This is the simpleset concept to protect the internal network. Therefore, in Section 7.3, the description of Firewall is introduced in two aspects, including concepts of Firewall and the components of it. There are two types of Firewall system, which are Packet Filter-based Firewall Application Gateway-based Firewall In the packet filter-based firewall, it filters and routes packets based on the header of IP header or the filter rules of management, hence it operates at the network layer in the OSI reference model. In the application gateway-based firewall, it filters and routes packets based on the filter function at the application layer. Two kinds of firewall systems are introduced in Section 7.3. One is NetFilter, which is a packet filter-based firewall. The other is Trusted Information System (TIS), which is an application gateway-based firewall. Intrusion Detection System Since routing in Internet is based on the TCP/IP protocol, the protocol security holes and some defects of TCP/IP maybe result in intrusion or denial of service of service providers, for instance, the attack events of Yahoo, Amazon and e-bay servers in recent years. Nevertheless, it is necessary to understand the attacking technologies of network hackers then propose several protection mechanisms to against such attacks. Therefore, we describe some attacking technologies and protection skills in Section

5 7.2 Data Security According to the consideration in data security, the important data should be encrypted before transmitting by Alice. Even though the encrypted data is intercepted by Trudy, Trudy still can not get the original plaintext. As a result, data encryption protects the original plaintext and prevents monitoring attacks. After Bob receiving the encrypted data, Bob can obtain the plaintext from Alice by using the decryption key to decrypt it. The procedure of data encryption and decryption is shown in Fig In the principles of cryptograph, there are two main systems including, symmetric and asymmetric key systems. The difference between them is that the symmetric key system adopts the same key to encrypt and decrypt the plaintext; nevertheless, key is different for encryption and decription in asymmetric key system. These two key systems will introduce in the next two subsections, and then describe the issues of key distribution and related authentication in section Finally, the security mechanisms of transport and network layers are described, respectively. Alice Bob Plaintext Plaintext Encryption key E if (Encryption key = = Decryption key) "It is a symmetric key system." else "It is an asymmetric key system." D Decryption key Encrypted data Figure 7-1 Data encryption and decryption 5

6 7.2.1 Principles of Cryptograph Symmetric Key System Although the theory of cryptograph was proposed in very early ago, the US government firstly adopted the Data Encryption Standard (DES) to secure data in DES is a 56-bit symmetric key system, which uses a single key to encrypt and decrypt the plaintext. Moreover, the International Data Encryption Algorithm (IDEA) also adopts the symmetric key system. In present, the 56-bit DES algorithm still extensively used in the world, nevertheless a more secure symmetric key system, the 112-bit DES algorithm, can be used in USA only. In 56-bit DES, it encrypts each 64-bit data lock unit via a 56-bit key, then produces the monoalphabetic result, that is, the DES obtains the same encrypted data of a plaintext if it uses the same key to do the operation of encryption. The operations of DES are based on the transposition ciphers, substitution ciphers, and sixteen iterations computation. The principle of DES operation is shown in Fig. 7-2 and described as follows. Firstly, a plaintext is partitioned into several 64-bit data blocks. Each block, T = t 1 t 2..t 64, is performed the initial transposition to obtain T 0, where T 0 is t 58 t 50 t 42 t 23 t 15 t 7, then forms two 32-bit blocks, i.e. R 0 and L 0, which is shown as follows, where T 0 = L 0 R 0, L 0 = t 58 t 50 t 42 t 16 t 8 R 0 = t 57 t 49 t 41 t 15 t 7. The data blocks of L 0 and R 0 are to be inputs for next iteration of encrypting, respectively. L 1 = R 0 R 1 =L 0 f(r 0, K 1 ). 6

7 After that, the result becomes T 1 = L 1 R 1,where K 1 is computed from 56-bit key. The 56-bit key is pre-computed as sixteen 48-bit keys: K 1, K 2,, K 16. The process procedure of f(r 0, K 1 ) is shown in Fig. 7-3, which adopts that the 32-bit R 0 and the 48-bit K 1 as encryption inputs. Firstly, the 32-bit R 0 is expanded to get a 48-bit result by the operation of E(R 0 ). Secondly, both of the 48-bit E(R 0 ) and 48-bit K 1 is peformed XOR operation to obtain a 48-bit result, which will be partition into eight 6-bit inputs, B 1, B 2..B 8, for the following computation of substitution. 64 bits Input T=t 1 t 2... t bits Initial Transposition IP T0 16 Iterations 64 bits L i =R i-1 R i =L i-1 f(r i-1,k i ) 48 Key Selection 64 bits Key 16 keys: K 1,...,K bits IP bits Output Fig 7-2 Encryption Procedure of DES 7

8 Ri-1 32 bits Key 64 bits E KS E(Ri-1) 48 bits Ki 48 nits + B1 B2 B3 B4 B5 B6 B7 B8 S1 S2 S3 S4 S5 S6 S7 S8 S1(B1) S2(B2) S3(B3) S4(B4) S5(B5) S6(B6) S7(B7) S8(B8) p f(ri-1,ki) 32 bits Fig 7-3 Computation Process of f(r i-1,k i ) After the computation of substitution, S i, eight 4-bit blocks, S i (B i ), are obtained, then performs a 32-bit transportation to get f(r 0,k 1 ) and finally the R1 can be also obtained by the operation of L 0 f(r 0,k 1 ). By doing the same iteration 16 times, i.e., L i R i L i+1 R i+1,i=0,,1, T 16 =L 16 R 16 can be obtained, then performs the inverse initial transposition to get a 64-bit encrypted data. On the other hand, the plaintext can be obtained from decrypting the encrypted data by performing the inversion procedure of encryption. How about the characteristic of security that DES has? No one can guanantee that. Since the RSA Data Security company provide USD for whom can decrypt the plaintext with Strong cryptography makes the world a safer place., which is encrypted by the 56-bit DES algorithm in 1997, the encrypted data is decrypted by a team at less than four monthes. Moreover, a person who decrypted the last challenge of DES challenge Ⅲ in 22 hours in Therefore, if we feel that the DES is not secure enough in application, the several times computation of DES algorithm can support more secure that single DES system. For instance, Triple-DES (3DES) and 128-bit DES algorithms have been proposed by the US government as the standard for encryption and decryption in USA. 8

9 Asymmetric Key System From the principle of the symmetric key system, we knew that uses the same key to both operations of encryprtion and decryption. There are two issues should be addressed before using it. First, how to identify the sender Alice and receiver Bob in the first time data exchange. Second, how to distribute the secret key secure from sender Alice to receiver Bob. Therefore, two different keys are propsed to encrypt and decrypt data, respectively. Such a system is called Asymmetric Key System or Public Key System, which uses a public key to perform encryption the plaintext and uses anyther private key to perform decryption as shown in Fig In Fig. 7-4, Alice and Bob use two different keys, in which Alice uses Bob s public key to encrypt and Bob uses his private key to decrypt the encrypted data. Consequently, Bob can distribute public key to anyone in networks more secure and convenient. Alice Plaintext, m Bob Plaintext, m m=d Bob (E Bob (m)) Bob's public key E D Bob's private key c=e Bob (m) Encrypted data c=e Bob (m) Fig 7.4 Asymmetric Key Cryptography In asymmetric key system, RSA is the most famous algorithm, which was proposed by three professors in MIT including Ronald Rivest, Adi Shamir, and Leonard Adleman in RSA uses a pair keys to encrypt and decrypt data; furthermore, it has been extensively adopted for the application of digital signature. Nevertheless, RSA still has a primary disadvantage of high computation complexity, which results in low efficient and can not be apply to vast amount data encryption. In morden networks, it always adopts RSA to distribute keys and performs the operation 9

10 of decryption in digigal signature, and the vast amount data is encrypted by DES algorithm. In addition, the procedure of selecting public and private keys in RSA is described in Fig Select two large enough primes p and q. Larger primes are less crack, but the computation time will increase significantly. RSA Lab. Suggests that the selected primes should be larger than Compute n by p*q and z by (p-1)*(q-1), i.e., n=p*q and z=(p-1)*(q-1). 3. Choose a value e as the public key, which is less than n and that is prime to the value of z. 4. Compute a value d as the private key, where e*(d-1) should be divisible by the value of z. Therefore, Bob can be distributed the public key (n,e) to Alice or anyone in the network, then Alice can use the public key to encrypt data and Bob can use his private key (n,d) to decrypt data. For instance, Alice transmits a number or a bit pattern m to Bob, where m is less than n. Alice first computes m e and divid it by n to get the remainder c, which c is the cipher or encrypted data. Once Bob receiving the encrypted data c, he computes c d and divids it by n to get the remainder m, where m is the original plaintext, which is shown as following equations. c = m e mod n //use the (n,e) public key to encrypt plaintext and get encrypted data c m = c d mod n // use the (n,d) private key to decrypt the encrypted data then get plaintext m. 10

11 1. Select two very large Select two very large prime values, p and q prime values, p and q 2. n = p x q n = p x q z = (p-1) x (q-1) z = (p-1) x (q-1) 3. Choose a number, e, less Choose a number, e, less than n, which has no than n, which has no common factors with z common factors with z 4. Find a number, d, s.t. ed-1 Find a number, d, s.t. ed-1 is exactly divisible by z is exactly divisible by z 5. Get Get public key (n,e) public key (n,e) and and private key (n,d) private key (n,d) Fig 7-5. Procedures of public key and private key section by RSA Next, we give an example to describe key selection procedures in the RSA algorithm. First, Bob selects p=11 and q=17, then computes n by p*q (n=187) and computes z by (p-1)*(q-1) (q=160). Second, Bob selects 23 as e, where e is prome to z. Finally, Bob computes (z+1)/e to obtain d=7. Therefore, Bob distributes the public key (n=187, e=23) to Alice. Once Alice uses the public key to encrypt a plainytext m and gets the encrypted data c. After Bob receives the encrypted data c, he decrypts it by his private key (n=187, d=7). Assume that Alice sends a plaintext of clap to Bob, Alice first maps characters a~z to numbers 1~26 and obtaining c =3, l =12, a =1, and p =16. The encryption procedure with public key (n=187, e=23) is shown in Fig. 7-6(a) and the decryption procedure with secret key (n=187, d=7) is shown in Fig. 7-6(b) Plaintext m m e c = m e mod n c l E a

12 p E Figure 7-6 (a) Procedure of Alice encrypting plaintext clap by using public key (n=187, e=23) Encrypted text, c c d m = c d mod n Plaintext E+15 3 c E l a E p Figure 7-6 (b) Procedure of Bob decrypting by using secret key (n=187, d=7) From above explanation of the RSA algorithm, we know that both of encryption and decryption procedures are computed by exponential operation, which results in high computation complexity. As RSA Lab. declarates that the efficiency is 21.6 kb/s for 512-bit and 7.4 kb/s for 1024-bit, respectively. Nevertheless, efficieny of DES is 100 times faster by software computation and 10 3 ~10 4 times faster by hardware computation than that of RSA. It is clearly, the RSA algorithm suffers from computing of vast amount data. Another issue is how to select an extreme large numbers to satisy RSA efficiently. Today most applications are combined the symmetric and asymmetric key systems in reality. Sender Alice randomly generates a session (symmetric) key to encrypt plaintext into ciphertext C. Then sender Alice uses Bob s public key (asymmetric) to encrypt the session key, and sends it with ciphertext C to receiver Bob. After Bob receiving them, Bob first uses his private key (asymmetric) to decrypt the encrypted session key. Second Bob uses the session key to decrypt the ciphertext C into plaintext successfully. By using the advantage of cominding symmetric and asymmetric key systems, both of sender Alice and receiver Bob are unnecessary to know the same session key before data transmission. Hence, the key distribution procedure is under safe operation and results in efficient data transmission. Therefore, RSA has two primary functions. One is using RSA to encrypt session key of DES for convient distribution of symmetric session key, and the other function is using RSA to authenticate network users. Authentication is an important issue in network security, which will be described in next subsection. 12

13 7.2.2 Digital Signature The problem of invisible under long distance communication has been mentioned in the beginning of this chapter. Once Bob receives a message from Alice, how to identify that the message is sent by Alice. If an intrusion Trudy pretends Alice to send it that reveals authentication is essential and important. There are three methods to achieve authenticate including, secret information, possession of object, and characteristic. Password and encryption authentication are based on secret information. Checking password is the most popular method to identify network user, but it s easy to attack by hacker, network intruder and network monitor. Hence, checking password is not a good method to achieve authentication. Another encryption has described in previous section. In symmetric key system, the main problem of key distribution should be addressed. In asymmetric key system, Digital Signature is the most popular authentication. Like passport checking while boarding a flight. Consequently, there are three advantages of applying digital signature onto transmission data including, to identify this data is sent by sender Alice, sender Alice can not deny that he sent the data before, and receiver Bob can not modify the received data. By using asymmetric key system and hash function to achieve the technique of digital signature. As shown in Fig. 7-7 and 7-8, sender Alice adopts digital signature to perform authentication with sending plaintext to receiver Bob. In Fig. 7-7, sender Alice first computes the plaintext via a hash function to get a unique hash value of , and then Alice encrypts the hash value by his private key and obtains encrypted text of??!!??!!. Finally, Alice sends the encrypted text, i.e. Alice s digital signature, with plaintext to Bob. After Bob receiving the plaintext with digital signature of Alice, two separate processes are applied. First Bob decrypts the digital signature of??!!??!! by Alice s public key to get the hash value of Second, Bob computes the plaintext by the same hash function to obtain the hash value of If these two hash values are the same, it certifies that the plaintext is sent by Alice. Finally, above mentioned three functions of digital signature are satisfied as follows. Alice can not deny sending this document before, for the reason that Alice encrypts hash value via his private key. Bob can not modify the received document; otherwise these two hash values 13

14 will not be the same. The document is identied that is sent by Alice because of having the same value of Plaintext Hash function Hash function unique hash value a) Alice can NOT deny sending this document, for the reason that Alice encrypts hash value via his private key Alice's private key??!!??!! Encrypted text +??!!??!! Plaintext Plaintext Plaintext with "Digital Signature" Figure 7-7 Alice sends documentation with Digital Signature??!!??!! Plaintext??!!??!! Plaintext Alice's public key Hash function Hash function unique hash value The document is sent by Alice, if these two output values are the same. Otherwise, Bob can NOT identify it is sent by Alice. b) Bob can NOT modify the received document, otherwise these two output values will not be the same. c) The document is identified that is sent by Alice because of having the same value " " Figure 7-8 Bob identify the received documentation with Digital Signature, whether it is sent by Alice or not We have described that Alice should be generated a hash value of the corresponding plaintext before sending it. The hash value is so called the Message Digest (MD). The function of message digest is to keep data integrity for achieving three characteristics of authentication. Popular hash functions include MD4, MD5, and Secure Hash Algorithm (SHA), etc, where MD4 and MD5 proposed by Ron Rivest in 1992 and MD5 is the most useful algorithm to generate a 128-bit message digest. Furthermore, a similar to MD4 hash function, SHA-1, is adopted by the US Federal government, 14

15 which generates a 160-bit message digest Transport Layer Security Cryptograph theory and authentication techniques have been described in the beginning of this section. Now we explain how to combind these two parts for achieving secure function in transport layer. For the increasing demand to access mobile information via heterogeneous wireless networks, the wireless mobile networks and Internet play an important role to achieve the goal, in which there are several key areas: the wireless mobile networks, the personal mobile communications, and network security. In the area of network security, how to build a secure and reliability e-transaction or m-transaction between client and server hosts and to protect private information of client are very important. One of good solution is the mechanism of Secure Socket Layer (SSL). Nevertheless, in the e-transaction procedure of E-commerence, a more secure mechanism is needed. Security Electronic Transaction (SET) was proposed for this purpose. Both of SSL and SET will be introduced in Section and Section , respectively Secure Socket Layer (SSL) In web browser, a small lock icon is always in unlocked status and sometimes in locked status while sending secure data. That is an example operation of SSL while lock is in locked status. SSL was proposed by Netscape to support data encryption and authentication of data exchange between web client and sever. Also SSL is one of popular web secure mechanism, which adopts the Transport Layer Security protocol (TLS) and operates between Transport and Application layers. Now that is defined in RFC 2246, which is shown in Fig.7-9. Before performing SSL, client and server should be negotiated with data encryption algorithms such as, DES or IDEA, and both authentication certification. After completing the negotiation procedure, the key encryption and decryption processes can be started to confirm secure of data transmission. The transaction flow of SSL protocol is shown in Fig. 7-1, which is explained as follows. 15

16 Client send SSL Client Hello message to construct encryption mechanism with Server. Server replys SSL Server Hello message to Client to confirm it, then it sends its certification back to Client to request Client s certification. Client sends its certification to Server. After that, Server and Client perform the negotiation of key exchange, in which session key is encrypted by Server s public key. Finally, Client and Server obtain session key and peform data encryption and data exchange. Application Application SSL SSL TCP TCP IP IP Figure 7-9 SSL layer Client Server SSL Client Hello SSL Server Hello Server Certification Request Client Certification SSL Handshake Client Certification ClientKeyExchange (RSA) Digital Signature Certificate Verify ChangeCipherSpec Finished Encrypted Data Encrypted data stream (DES) Figure 7-10 SSL Transaction flow 16

17 Lack of data integrity in SSL SSL supports protocol of data encryption between Client and Server, but it lacks of integrity of secure payment mechanism in backend, for example, secure payment of credit card. Assume that Alice orders some merchandise from Bob and pays it by credit card. The credit card information is secure to send to Bob. Since Bob has key to decrypt the encrypted information of Alice credit card, we can t make sure that Bob will be abused of Alice s credit card information. This is the reason of SSL lacking of data integrity and fully secure. Moreover, SSL also lacks of the certification of Client s credit card. Once hacker gets someone s credit card number, he may be abuse it. Furthermore, the transmission data is encrypted between Client and Server, Intrusion Detection System (IDS) will not filter the encrypted information, which results in security holes of host. Since SSL lacking of data integrity and having security holes, the Security Electronic Transaction (SET) was propsed to overcome it. SET supports fully secure electronic transactions between frontend and backend hosts which is described in next subsection Secure Electronic Transactions (SET) Secure Electronic Transactions (SET) is a secure payment protocol, whichis proposed by Visa, MasterCard, IBM, Microsoft, and HPcooperarions in February And the Secure Electronic Transaction LLC (or called the SETC) organization established by July of 1997 is responsible for the management and promotion SET protocol in the world. Basicly, the characteristic of SET is shown as follows. SET only provides to encrypt the related information in payment, rather than SSL can encrypt information between the Client and Server. SET combines the buyer, selling party and selling party bank, and provides encryption high sensitivity data, which is transferring among these three parties. At the same time, these 17

18 three are required to have the Digital Certification. The main difference between SET and SSl is that SET will not give the creditcard number of buyer to the seller. That prevents abnormal using buyer s creditcard by the seller; hence, it keeps the payment in secure enviorment. SET is to apply in the finance system, so it does not be restricted to use shorter key. Then we describe the operation flow of SET by using the Fig In SET, there are four main roles including buyer Bob, e-shop seller Alice, crad holder s bank, and e-shop s bank. Bob s public key (E B ) and private key (D B ), Alice s public key (E A ) and private key (D A ), and both Certifications need to be process in the operation of SET. The main data flow of SET is that the order information and creditcard number of cardholder Bob should be sent to the crad holder s bank and e-shop s bank safely. Consequently, the order flow of ordering some products from buyer Bob to Alice s e-chop via SET security protocol is shown as follows. 1. Bob selects some interesting products from Alice s e-shop and infors Alice that he will be paid by creditcard. 2. Alice returns transaction ID of this order to Bob. 3. Alice sends his certification, public key, and public key of his bank to Bob. 4. Bob receives above messages at step Bob makes an order from network and has Order Information (OI) and Purchase Information (PI). Bob encrypts OI by Alice s public key and sends it to Alice. At the same time, Bob encrypts PI by the public key of Alice s bank and sends it to Alice s bank. 6. Alice sends Request to Certificate message to Bob s credit card bank with the order ID. 7. Alice uses the public key of his bank to encrypt the following messages, including the encrypted PI from Bob, Alice s Certification and Request to Certificate message and sends 18

19 P.S2341 Modern Computer Networks: An Open Source Approach Chapter 7 them to his bank. 8. Alice s bank decrypts these encrypted messages and checks that were modified before or not. 9. Alice s bank uses the original exchange mechanism of creditcard to process the related operation. 10. Bob s bank replys the result of certification to Alice s bank. 11. If Alice s bank receives successful certificated, then it replys the message to Alice. 12. If everything is OK, Alice sends the reply of order message to Bob for making sure that the transaction is done. From the operation flow of SET, each pair procedures of request or response should need two parties. This is to protect any third party to modify or gather secure information. Furthermore, the creditcard number of Bob (within PI) has been encrypted by the public key of Alice s bank, Alice can not obtain the original creditcard number of Bob. As a result, SET can provide secure mechanism for e-transaction to ensure secure transaction environment through networks. 1 E-wallet 5 Internet 2,3 Merchant Cardholder 4 CA 12 Merchant Server 6,7 11 Internet 10 Credit Card 9 Payment Gateway Issuer/Credit Card Bank Acquirer (Bank) Figure 7-11 SET Operation Flow 19

20 7.2.4 Internet Security, IP Security (IPSec) TCP/IP is the most popular protocol used in present networks. Since the TCP/IP protocol is used in several areas, Internet becomes the largest network in the world. Since Internet protocol does not define any secure mechanism, the transmission data in Internet is easy to capture and decode. How to provide a secure transmission in the largest network in this world is very important in real applications and research issues. In order to ensure the network secure, where TCP/IP is provided. The IETF establishes an open standard of network security protocol, i.e., Internet Protocol security (IPSec), and expect to apply the security technology in the network layer for providing both the transceiver and the receiver in security communication service. Meanwhile, it also allows the upper application or protocol use these safe services. Therefore, in section , we first introduce the concept of IPSec, and then describe the mechanism of IPSec, which defines the IP Authentication Header, IP Encapsulation Security Payload, and the key management, to achieve the request data integrity, authentication, and privacy in security communication. As developing of electronic commerce (E-commerce) for transacting secured data between enterprise and customer, the Virtual Private Network (VPN) is promoted for the purpose. Due to the VPN has the advantage of inexpensive and easy setup, it has been adopted by several enterprises. Therefore, in section , we will make thoroughly discussion in the VPN concept and various VPNs design IP security (IPSec) Because Internet Technology becomes mature in recent years, more users use the Internet convenient in such a public network. Many commercial services were constructed based on Internet; therefore, the private communication is concerned with the users as they often need transfer the secret data. If there is not any trusted secure network, it causes that the network user lacks of confident for using the network commercial services. For overcoming such an issue, several network security standards are proposed in 20

21 succession to Session Layer and Application Layer. As mentioned before, SET and SSL can achieve secure HTTP, the PEM standard can achieve secure , which is proposed by the PSRG group of IETF, and General Security Service Application Program Interface (GSSAPI) supports secure transmission in Telnet, FTP and HTTP, which is referred as RFC1508 and In fact, these applications or protocols are based on the Internet Protocol (IP). Therefore, a secure mechanism for IP is necessary to integrate different secure mechanisms of various applications of upper layer. In such situation, IETF established IP Security (IP Sec) for IPv4/v6 to achieve the following goals, including Authentication, Integrity, Confidentiality, and Access control, etc. The first version of IPSec (RFC1825 to RFC1829) was proposed in There are two primary modes of it, including IP Authentication Header (AH) and IP Encapsulation Security Payload (ESP). The former mainly provides the integrity and authentication of data, but the latter provides the secure data transfer. For using IPSec in the IPv6 environment, it designs in two option headers that include the Authentication Header and the Encapsulation Security Payload Header. In the first version of IPSec, there is no description about key exchange and management. The first version mainly defines the transformation of the format of a packet. In 1998, the second version of IPSec (RFC2401, RFC2402, RFC2406) was proposed, and Security Association (SA) and the key management- IKE (Internet Key Management) are included. Consequently, the IPSec becomes completely after including SA and IKE. Security Association For the purpose of private communication in IPSec, a secure environment is required to transfer data between transmitter end and receiver. Security Association is designed for building such a secure environment. Meanwhile, Security Association is also the most important concept in the framework of IPSec. For the transmitter end the receiver, SA provides a unidirectional connection of secure transfer. In SA, several important parameters are defined, for instance, the authentication algorithm and the key which is used in the authentication algorithm, 21

22 the encryption/decryption algorithm and the key which is used in the encryption/decryption algorithm, and a valid period of keys, etc. Therefore, a private and secure communication can be achieved with the same SA. A 32-bit Security Parameter Index (SPI) can define a security association. Moreover, a unique SA can be defined by IP address of a host, a security identification code (represents AH or ESP), and SPI. Since SA is a unidirectional, it requires two SAs to build bidirectional point-to-point secure transfer. Furthermore, a SA uses either AH or ESP as the security protocol only. Two SAs are required, if both security protocols of AH and ESP are used at the same time. Authentication In RFC1828, it suggests that IPSec uses MD5 algorithm to authenticate. The main function is that the sender computes a message from the sending IP packet and a secret key with MD5 algorithm, and then adds the message into the sending packet. After receiving the IP packet, receiver performs the same MD5 calculation with the IP packet and the secret key to obtain message value. Then receiver compares the message value with the added one in IP packet. If these two are the same, the authentication is success; otherwise, it rejects. Because the MD5 calculation computes with the whole IP packet, this method not only performs authentication, but also certify for the data integrity. In the aspect of supplying authentication services, IPsec defines two modes of authentications including End-to-End mode and End-to-Intermediate mode. The main difference is shown in Fig In the End-to-End mode, both parties of the communication perform the authentication. This mode was used when both parties of the communication do not have confidence in the security of network facilities but still expect to ensure the security of the transmission themselves. In the End-to-Intermediate mode, the authentication performed at one party and the router or firewall of the local area network of the other party of the communication. In this way, the router or firewall plays the role as a Security Gateway. In other 22

23 words, the security of the local area network that the security gateway located is guaranteed by the security gateway. Intranet Router/ Firewall End-to-intermediate Internet End-to-end authentication Figure 7-12 Authentication Types Figure 7-13 shows the content format of the authentication header. The first field, Next Header, represents the payload type. Following is the 8-bit Length field. The 16-bit Reserved field is reserved for future using. In present, the value of Reserved field is set to 0. The SPI field represents a unique SA. The Sequence Number Field represents the sequence number of packets to prevent the replay attack Next Header Length Reserved Security Parameter Index (SPI) Sequence Number Field Authentication Data (variable) Figure 7-13 Authentication Header Encapsulation Security Payload Encapsulation Security Payload provides secure IP packet transmission. In present, the IP ESP adopts DES or Triple-DES as the encryption standard. ESP does not only guarantee data secure, but also achieve authentication, data integrity and prevent to the attack of retransmission. There are two modes within ESP including Transport 23

24 Mode and Tunnel Mode. Transport mode is used to encrypt the block of transport layer, and the tunnel mode is aims entire IP packet to encrypt. Transport mode ESP and tunnel mode ESP are shown in Fig and 7-15, respectively. In Transport mode ESP, ESP header locates before the data block of transport layer. The advantage of this mode is that the encrypted part is less than that of tunnel mode ESP. Since it is not necessary additional IP header, the required bandwidth is less than tunnel mode. Moreover, encrypt and decryption are done at both hosts in the transport mode ESP. The transport mode ESP is preferable, if the communication from end to end do not trust in the transmission route various networks equipment security. In the tunnel mode ESP, ESP header locates before the encrypted IP packet and it produces a new IP header. This mode is suitable for the Internet environment that uses security gateway to protect. During transferring, sender or gateway performs the encryption procedure of IP packet, and then the encrypted packet is sent to the receiver s gateway. After the receiver s gateway receives it, it decrypts the IP packet and sends the original plaintext data to the receiver. IP Header Ext. Header ESP Header Transport layer segment Unencrypted Encrypted IP Header Figure 7-14 Transport Mode ESP Ext. Header ESP Header IP header + Transport layer segment Unencrypted Encrypted Figure 7-15 Tunnel Mode ESP The AH in combination with the ESP: Through the combination using with AH and ESP, it can achieve encryption and authentication at the same time. The procedure of encryption can be done before authentication or versus. In the case of encryption before authentication in 24

25 transmission mode as shown in Fig. 7-16, Encapsulation Security Payload is firstly encrypted by ESP, which will be encapsulated by AH. In the tunnel mode, the entire IP packet is encapsulated by ESP and encapsulated by AH. In the case of authentication before encryption, this is suitable for the case of transmission mode, in which the payload is encapsulated by AH and then encrypted by ESP as shown in Fig IP Header Auth. Header ESP Header Transport layer segment E-T Scope of authentication E-T : Encapsulating Security Payload trailing fields Figure 7-16 Encryption before authentication IP-H ESP-H IP-H A-H Transport layer segment E-T Scope of authentication Figure 7-17 Authentication before encryption Key Management Because of AH authentication and ESP encryption need both encryption and decryption keys. Therefore, key management and the exchange become important in the IPSec standard. At present, the main key management protocol includes SKIP (Simple Key-management for IP) and ISAKMP/Oakley (Internet Key Exchange, IKE). SKIP is proposed by Sun Microsystem, which adopts the Diffie Hellman s key exchange algorithm to transmit the secret key in the network. In order to guarantee it secure, the Public key must apply for the certificate via Certificate Authority (CA). Therefore, it needs the public key infrastructure to fulfill the purpose. In the case of IKE, Oakley defines the ways to distinguish and confirm key. Nevertheless, in the case of ISAKMP, there are two steps in the operation of ISAKMP. In the first step, both ends of ISAKMP communication should be setup a secure and authenticated channel, ISAKMP SA, via negotiation, which is the first built SA. In the second step, it uses the ISAKMP SA to build AH or ESP s SA. The primary difference between ISAKMP SA and IPSec SA is that ISAKMP SA is a bidirectional SA, but IPSec SA is a unidirectional SA. 25

26 Virtual Private Network (VPN) After introducing the standards and operation of IPSec, the most popular application of IPSec in commercial, Virtual Private Network (VPN), is described in this section. VPN is to build a private network via public networks such as Internet. In previous, the private network communication between two enterprises always used Lease line from ISP including Lease Line, ISDN, ATM, Frame Relay. The disadvantage of it is the leased fee costs too much. The advantage is keeping transfer in a secure network. On the other hand, the most popular public network, Internet, is cheap, convenient, and scalable. Therefore, the goal of VPN is to build a virtual private network via the public Internet to achieve the cheap, secure and efficient transmission among enterprises. VPN are based on the following technologies: Tunneling Encryption and Decryption Key management Authentication The technologies of Encryption and Decryption, and Key management have described in previous sections, Cryptology and IPSec. Hence, we make a detail explanation of Tunneling and Authentication in this section. Tunneling technologies Tunneling is based on the technology of encapsulating packet. It builds private communication tunnel via public networks. Currently, two tunnel technologies are adopted in IPSec One is layer 2 tunneling and the other is layer 3 tunneling. In general, if a company wants to use it's corporate network to provide PPP service, users must connect to company's PPP server when they want to dial directly to the corporate network. The advantage of the layer 2 tunneling is that users just dials to local Network Access Server (NAS) and uses the NAS to establish tunnels. This could 26

27 reduce by a large amount the phone bill for directly connection. In other words, this uses the Internet to transfer PPP frames. PPP can support many protocols; therefore, layer 2 tunneling can support IP, IPX, NetBEUI, and AppleTalk at the same time. Layer 3 tunneling technology has been explained in the section of IPSec. Microsoft proposed PPTP, which is developed for using on VPN. Based on PPP, PPP frames transmit IP packets in the tunnel. There are two types of PPTP tunnels: client-initiated mode and ISP-initiated mode. In the client-initiated mode, client initiates direct connection to the PPP server. In the ISP-initiated mode, client establishes a PPP session with the ISP access server, and the ISP access server establishes tunnels with remote PPTP server. The established tunnel can be shared by several connections by the means of call ID. L2TP mainly combines Layer 2 Forwarding (L2F), which is proposed by Cisco, and PPTP protocol. Each end of the L2TP tunnel acts as a L2TP Access Concentrator (LAC) and L2TP Network Server (LNS). Usually LAC acts as the client site and the LNS acts as the server site. The L2TP has two types of message, control and data. The control message mainly establishes and manages tunnels, and can utilized reliable transfer mode such as ATM. Data message is transmitted by packet frames and utilize unreliable transfer modes such as UDP. The tunnel establishing, is the same as PPTP, can be shared by many connections by the means of call ID. Authentication Two types of authentication are available, user authentication and device authentication. There are several techniques in user authentication. The most use is user account and password, or card authentication. Device authentication uses X.509 electronic certificates delivered by Certificate Authority. Before exchanging data between both ends, certificate should be sent to establish trust relationship. Both ends compare the certificate. If it matched, then the authentication is successful. Data exchange then would follow. Otherwise, rejects the exchange of data. Classification of VPN The standard document of VPN (RFC2764) classifies VPN into four types: Virtual Lease Line, VLL Virtual Private Routed Network, VPRN 27

28 Virtual Private Dial Network, VPDN Virtual Private LAN Segment, VPLS In the four types of VPN, VLL is the simplest one. User establishes point-to-point link through Customer Premises Equipment (CPE). The connection between the host and the ISP, so called stub link, can be any link level style connection, such as ATM VCC or Frame Relay. As shown in Fig. 7-18, two ISP ends are connected to IP backbone network, and establish connection through IP tunneling. VLL also sets the stub link on the ISP end to work with the IP tunnel. An example of this is that the data sending ISP edge node can pack the ATM AAL 5 payload and send it to the IP tunnel, and the data receiving ISP edge node would unpack the data received and send the original ATM AAL 5 payload to data receiving end. To the end user, the VLL structure seems to establish a route that connections two ATM VCC or Frame Relay CPE ends. CPE Frame Relay Circuit ISP edge node IP Backbone IP tunnel ISP edge node Frame Relay Circuit CPE subnet = /30 Figure 7-18 Example of Virtual Lease Line VPRN is designed to emulate an environment of multi-node wide area routed network. This kind of VPN differs from other VPN kinds are that the packets are transferred in the network layer. The whole VPRN ISP edge nodes form a full mesh network. Every ISP edge node can transfer packets to the destination server by routing mechanism. Therefore, every ISP routed network all has a VPRN packets forwarding table. Figure 7-19 is an example of three ISP edge nodes forming a full mesh network. The three ISP edge nodes are all connected to the other two by an IP tunnel. The backup link in the figure is for CPE to establish another ISP edge node link when the stub link failed. This enhances the overall strength of the whole network. A backdoor 28

29 link is a connection created by two CPE without going through ISP network. The advantage of VPRN is that complex works is mostly done by the ISP edge nodes. CPE's setup and work are reduced to minimum. CPE just needs to pass data to ISP edge node through a stub link, and ISP edge node would transfer the data. There is no need for CPE to establish links. Other than that, firewall and quality assurance type of services are provided by the ISP edge nodes as well. But VPRN also has its disadvantage. Due to the need to establish a full meshed network, this VPN structure is not suitable to networks with large number of SIP edge node router. CPE /30 ISP edge router /30 ISP edge router CPE /30 IP Backbone ISP edge router / / /30 CPE CPE /30 IP tunnel stub link backdoor link backup link Figure 7-19 Example of Virtual Private Routed Network VPDN is a user-connected tunnel by ad hoc tunnel linked to remote network. In other words, user dials up or uses ISDN to connect to public IP network. The VPDN uses the L2TP protocol. Through L2TP, an end of the user's PPP session can extend through LAC to remote LNS server. Because L2TP is a combination of L2F and PPTP, it also provides PPTP client-initiated and ISP-initiated mode. In the L2TP, 29

30 these are also called Compulsory Tunneling mode and Voluntary Tunneling mode. In Fig. 7-20, in the Compulsory Tunneling mode, host side edge router acts as LAC and corporate network acts as LNS. In this mode, LAC uses L2TP to extend the original PPP session on the LAC to the remote LNS side. The Voluntary Tunneling is shown in Fig The host itself acts as LAC, and establishes a tunnel with corporate network. This way, the corporate router is not involved in the tunnel establishing and network devices are not involved either. HOST dial connection NAS (LAC) IP Backbone GW (LNS) Corp. Network L2TP Tunnel PPP session Figure 7-20 Compulsory Tunneling Example of VPDN HOST (LAC) dial connection NAS IP Backbone L2TP Tunnel with PPP session or IPSec Tunnel GW (LNS) Corp. Network Figure 7-21 Voluntary Tunneling Example of VPDN VPLS uses Internet devices to emulate a local area network. Its structure is very similar to VPRN. The main difference is that ISP router of VPLS is used to execute network layer transfers, but ISP host executes link bridging. Figure 7-22 is an example of VPLS. 30

31 ISP edge node ISP edge node CPE /24 CPE /24 IP Backbone ISP edge node CPE /24 IP tunnel stub link Figure 7-22 Example of Virtual Private LAN Segment Open Source Implementation: FreeS/WAN FreeS/WAN is a Linux software that processes IPSec and IKE. It works as a module in a Linux kernel. The whole FreeS/WAN can be divided into three parts: KLIPS: it is an abbreviation of Kernel IP Security. It is designed to process packet handling with AH, ESP, and the packet processed part in kernel. Pluto Daemon: It is responsible for processing IKE Daemon, and handling the exchange and management of encrypted/decrypted keys. Administrator interface The flow chart of KLIPS is shown in Fig When the administrator uses insmod command to activate KLIPS module, it executes init_module(). This function will register KLIPS as a module to the Linux kernel, and then it uses ipsec_init() to initialize some parameters. This part can be set manually by command, or can be done by saving the setting in a file of ipsec.conf. When the administrator uses rmmod command to remove the KLIPS module, it would then execute clean_module() to clean up the data and release the memory. 31

32 START init_module() ipsec_init() cleanup_module() Figure 7-23 Flowchart of KLIPS Because IPSec needs to use tunnel technology to establish a private passage between these two communication ends, it would use a data structure called Tunnel Descriptor Block (TDB) to record information about the private tunnel, Information such as source IP address, destination IP address, error code, tunnel status, etc are saved. KLIPS also uses another data structure called radix tree to save the path information needed for packet transferring mechanism when communication end acts as a communication gateway. Figs and 7-25 shows the work flow when ipsec_init() function is called. At the beginning, ipsec_init() calls ipsec_tdbinit() to initialize the values in the TDB, then it calls ipsec_radijinit() to initialize radix tree. Then it uses pfkey_init() to decide the exchange and management method. In KLIPS, four virtual network devices ipsec0, ipsec1, ipsec2, and ipsec3 are defined. The commands by the administrator are directly placed to the virtual devices. The register_netdevice_notifier() function provided by the kernel is to register these virtual network devices, like plug-in network interface cards. Then through administrator's commands or kernel function inet_add_protocol(), registration of security protocol such as AH, ESP, or IPCOMP (IP Compression) to the inetd is completed. After this process, ipsec_init() calls ipsec_tunnel_init_device() to initialize the four virtual network devices. Finally, depending whether user uses sysctl command to control the ipsec, it decides to call ipsec_sysctl_register() or not. 32

33 ipsec_tdbinit() ipsec_radijinit() pfkey_init() register_netdevice _notifier() ESP YES YES inet_add_protocol (&ah_protocol) NO AH NO inet_add_protocol (&esp_protocol) IPCOMP YES inet_add_protocol (&comp_protocol) Figure 7-24 Flowchart of ipsec_init() (PART I) ipsec_tunnel_init _device() SYSCTL YES NO ipsec_sysctl_register( ) RETURN Figure 7-25 Flowchart of ipsec_init() (PART II) Figure 7-26 is the execution flow chart of Pluto Daemon. At the beginning, the Pluto Daemon executes some initialization including the random number generator at the beginning of the key exchange, private keys, and the chart that records the connection status. It also loads some modules for decryption. Then the Daemon waits for events. If events occurred are related to timer time out, it calls functions that are designed to handle this issue. If not, then the event must be a packet from the other 33

34 side. At this point Pluto Daemon would call packet handling function to handle this event. START initialization wait for event timer event? YES NO invoke timer handler invoke packet handler Figure 7-26 Flowchart of Pluto Daemon 34

35 7.3 Firewall Introduction Due to the development of electronic commerce is very high-speed, the business transaction becoms very frequently. For this great mass fervor, the global enterprises are proceeding as the E-commerce job to increase the performances of the internal and external procedures at the enterprises that promoting competition and profit. The digitization of information lets many secure data can be acquired from the enterprise intranet but it also becomes the object hackers want to attack. Hence for supplying a function to protect the secure data, there are many vendors research develop and sell various security products. The common product to protect the enterprise network is firewall. In a word, firewall provides an access control between two networks. The transmission packets between private and public network must be checked from firewall, the packets will deliver when they match the access rules otherwise will be blocked or recorded to inform the system administrator. Firewall has the following major characteristics: Sevice request transmission: Any servers or hosts in the private network will not be direct access from the public network, any service request to servers or hosts must be transferred through firewall, hence it can avoid direct attack from the public network. Hidden private network: Due to the private network will be isolated with the public network used firewall, for users in the publice network who knows there is a firewall but is not aware that has other servers or hosts in the private network. Firewall can hide the private network outside of the public network and avoids direct accessing from the public network. Abnormal status record: Firewall can check the transmission packets between the private and public network, hence it can make records which accessing the private network. If there are any abnormal statuses, it informs the system administrator to reduce probability of attack or violence in the private network. 35

36 As above mention, firewall provides three major protections. First, it prevents login to the hosts of the private network from user in public network that has not an access permission, the login request will be blocked when it through the firewall. Second, it monitors and records the using status to prohibit any abnormal data access. Finally, it monitors any irregular commands in the private network. It informs the system administrator to process the job of defences and remedies when detecting the haker make an attack. In accordance with the difference of check field of the packet, there are two kinds of firewall, Network Layer Firewall and Application Layer Firewall. We will have a detail description at section and Additional, we will introduce separately that two Linux softwares --- Network Filter and Trusted Information System (TIS) for understanding two kinds of firewall how to work and using flow chart to present the different operation methods Network Layer Firewall Network layer firewall also terms as packet filter, that is, this firewall system filters the packets based on the network layer. Network layer firewall processes packets based on the header of IP Packet and the rules which administrators gave definition. The filtering field of packet can be protocol ID, source IP address, destination IP address, source port number of TCP or UDP, destination port number of TCP or UDP, etc. Based on different frameworks, network layer firewall can be separated to Screened Host Firewall and Screened Subnet Firewall. Figure 7-23 shows the framework of Screened Host Firewall. allow Internet IP filtering router Baston Host Private Network disallow Figure 7-23 Screened Host Firewall In the Screened Host Firewall, the incoming and outgoing packets must pass 36

37 through the Bastion Host and do not access directly between public network and private network. In another word, it must be setting in the IP filtering router that only permits the destination IP address is the Bastion Host IP Address that can get across when packets from public network to private network. Another, it prohibits the packet from private network to public network except the source ip address is the Bastion Host. Using this framework, we can understand that Bastion Host is the only network node, which can go to the private network from public network. The security of the entire private network is base on Bastion Host. Hence, Bastion Host is just the outside gateway of the private network in this framework and must resist any attack. The advantage of Screened Host Firewall is that the setting of filtering packet in the IP filtering router is very simple, because packets of incoming or outgoing private network must pass through the Bastion Host and just make access rules for it. The drawback is if let some particular services go to private network that do not pass through Bastion Host when administrator permits these situation for convenience, the entire private network will be exposed on the public network and the security will decrease dramatically if the packets go to private network via these services. Baston Host Internet IP filtering router DMZ IP filtering router Private Network Figure 7-24 Screened Subnet Firewall Figure 7-24 shows the framework of Screened Subnet Firewall. Utilizing two IP filtering routers form private network and DMZ (Demilitarized Zone). In this framework, because an IP filtering router has been built near the private network, the hosts in the private network do not have any dangers to expose them on the public network even though the IP filtering router near Internet is opening some services which can go to private network that do not pass through Bastion Host. This can resolve the drawback of Screened Host Firewall. The setting of the IP filtering router is similar to Screened Host Firewall. The IP filtering router next to the public network 37

38 sets the access rules to confirm with destination IP address of incoming private network must be the Bastion Host and source IP address from private network to public network must be the bastion host too. The IP filtering router next to the private network sets the access rules to confirm with destination IP address of outgoing private network must be the Bastion Host and source IP address of incoming private network must be the Bastion Host. In Screened Host Firewall, Bastion Host is the monitored host but DMZ will be the monitored subnetwork in Screened Subnet Firewall. DMZ is an area between external firewall and internal firewall. In general, external firewall is the internet access router in private network and internal firewall, which is used to connect DMZ and private network. Using the framework that has DMZ allows private network to own multi-layer protects via firewalls, hence can improve security Open Source Implementation: Netfilter Netfilter is architecture of packet mangling. From a viewpoint of system kernel, Netfilter is a group of checkpoints of packets that system kernel registers in the packets when processing them pass through individual communication protocol. These checkpoints are called Hook. In Netfilter, each Hook has a unique Hook number. Hence, Netfilter will check the current communication protocol whether it has a registered Hook when packets are being processed via Netfilter. If there is a registered Hook, these packets must be checked and follow the definitive rules to process. Processing packets have the following five actions: (The action of Netfilter is defined in brackets) Pass acceptance, proceed with next communication protocol. (NF_ACCEPT) Drop packets, followed communication protocol does not need to process. (NF_DROP) Netfilter processes packet, followed communication protocol does not need to process. (NF_STOLEN) Save packet into the queue. (NF_QUEUE) Call this Hook to process packet again. (NF_REPEAT) In Netfilter, executing the packet check is primary the program of IP tables. There are five registered Hooks in Netfilter: 38

39 A. NF_IP_PRE_ROUTING B. NF_IP_LOCAL_IN C. NF_IP_FORWARD D. NF_IP_POST_ROUTING E. NF_IP_LOCAL_OUT Figure 7-25 shows the description of five Hooks. A ROUTE C D ROUTE B E Local Process Figure 7-25 Hooks registered with Netfilter NF_PRE_ROUTING represents the Hook before the host receives the packet but does not process the routing function yet. NF_LOCAL_IN is the Hook found which destination address is the host after processed the routing function. NF_FORWARD is the Hook found that must been transferred to another host after processed the routing function. NF_POST_ROUTING is the Hook after completed the routing function. NF_LOCAL_OUT represents the Hook the host sends the packet before does not process the routing function. When every Hook is proceeding to examine packets, the defined rules must be applied. In Netfilter, there are three data structures as following to present the rules: struct ipt_entry, includes the fields below: strcut ipt_ip : IP header. nf_cache: Using bit stream method represents which fields in the IP header must be checked. target_offset: Represents the initial location of stract ipt_entry_target. next_offset: Records the size of content of whole rules that includes 39

40 ipt_entry_match and struct ipt_entry_target structures. comefrom: The field is used to trace the transmission of packet in the protocol stack. struct ipt_counters: Records the packet amount of comparison with this rule. Struct ipt_entry_match: Records the content of compared packet. Struct ipt_entry_traget: Records actions after comparing Application Layer Firewall Application Layer Firewall executes the filtering jobs in the application layer of ISO Reference Model. Because the carrier content of filtered packet must be checked in application layer, Application Layer Firewall can provide more precise, intelligent security function. As shown in Fig. 7-26, a common style of Application Layer Firewall of Dual-Homed Gateway. Due to packets must be filtered in the application layer, it will be blocked when direct using IP forwarding or routing to private network. Internet Private Network Dual-Homed Gateway IP routing and forwarding disabled Figure 7-26 Dual-Homed Gateway The proxy server is a very common in current Application Layer Firewall. The proxy server is an application program that transfers packets between private network and Internet. It usually switches packets based on application layer services (e.g. HTTP, FTP, Gopher,..., etc.), source IP or destination IP and other rules of administrator setting in the content of packet carries. In addition, the proxy server still has advantages for saving network bandwidth and ensuring security of private network, e.g. HTTP proxy server. When the request of HTTP service of the host in private network wants to connect the remote HTTP server occurred, HTTP proxy 40

41 server receives the requirement and checks whether it has the data in its cache memory. If there is a hit, it will send the required data in the cache memory to the host and does not connect directly to the remote HTTP server. This can reduce access time and save network bandwidth. If there is a miss in the cache memory, proxy server connects directly to the remote HTTP server and sends the HTTP request to get data then forwards the data to the host which sending the requirement. This method can avoid the hosts in private network to direct expose on the Internet and enhances the security of private network Open Source Implementation: Trusted Information System (TIS) Trusted Information System (TIS) is a set of tools for application layer firewall that is consist of many application programs. A set of tools of application program can work alone or cooperate with other application programs to provide the services of firewall. Entire set of tools provides the following major elements in according to the supplying services. Smap: SMTP service. Netacl: TELNET, Finger and Access Control List. Ftp-Gw: FTP proxy server. Telnet-Gw: TELENT proxy server. Rlogin-Gw: Rlogin proxy server. Http-Gw: HTTP proxy server Plug-Gw: News proxy server When any programs executing in the TIS, netperm-table will be loaded to read corresponding settings and rules of packet filtering. In another word, netperm-table is a common setting file for all applications in a set of tools of TIS. The primary content of netperm-table has tree fields: application name, parameter name, and parameter content. The check of rules in netperm-table is from up to down, then from left to right. Figure 7-27 is an example of http-gw part of netperm-table. 41

42 http-gw: userid root http-gw: directory /www_data http-gw: timeout 60 http-gw: permit-hosts * http-gw: deny-hosts * Figure 7-27 Example of http-gw part of netperm-table When http-gw starts, it reads the first field of netperm-table which rule setting is http-gw. In Figure 7-27, the first setting informs http-gw to use root as its user ID when it starts that is convenient to access the files or folders which can be accessed owning the permission of system administrator. The second setting is the location of directory which getting data from remote http server. The third setting is the longest establishing time of connection between assigned proxy server and remote HTTP server. The fourth setting only permits the users of subnet of * to access this proxy server. The last setting blocks any user to access the proxy server, using this setting is usually for preventing holes in security due to the setting error. The rules of setting is from up to down, so from the fourth column to the fifth column we can confirm that only the subnet of * can use this proxy server. 42

43 START YES bind listen - DAEMON NO(inetd) Read Configuration YES (child) accept fork=0 NO (parent) Get user's http request Forward http request Receive http response text/html NO Block transfer between connections YES Content filter with FSM END Figure 7-28 flow chart of http-gw Figure 7-28 is the flow chart of http-gw program. Http-gw provides two execution models. One is processing the job of http proxy server from inetd. Another is http-gw running a daemon to implement the job of http proxy server by itself. The first, http proxy server executes the job of loading the setting file from netperm-table and importing program from rules. When accepting the http request of host in private network, the comparison of rules are processed. If the result is correct then the host can use this http proxy server, the request of http forwards to the remote http server. When receiving the reply of http from remote server, the first is to check the content whether it is HTML format or not, if it is then filters it with its content, otherwise, the data will be blocked into the private network. The above status is for http-gw filtering html. In fact, http-gw also can filter gopher and FTP via Internet explorer. Simultaneously, the rules of filtering is not only for host in private network but also for host of external network or an assigned URL to process the rules setting whether it can access or not. Http-gw usually 43

44 cooperates with squid to achieve an objective of proxy server who has a cache. Http-gw there is not a cache service and it will be provided from squid. Squid will prior check cache memory whether have a data for the host needs when the host of private network brings the http request. Provides the host if it is existent, otherwise forward this http request to http-gw. Then http-gw forwards http request to remote http server then waits the response of http. 44

45 7.4 Intrusion Detection System Introduction Due to vast development of Information Technology (IT) and Internet, the number of Internet-involving user is getting larger, component of Internet is getting complicated, data transition between PC and Internet is becoming more and more important, and services provided on Internet are getting critical. However, development of Network Security somehow doesn t keep up with above items, and it s often ignored because of efficiency and convenience. Network Security consists of three components including, information protection, resource protection, and privacy protection. Information protection tends to prevent unauthorized user from obtaining or changing any sort of information. Resource protection tends to keep the resources away from unauthorized user, and resource here may be Internet online service or bandwidth. Privacy protection tends to prevent unauthorized user from reading personal data or personal behaviors, such as consuming or tracks of surfing Internet. As far as Internet and Network Security are concerned, we focus on ways of enterprise protecting themselves in messy situations. The following section will introduce ways of attack and defense methods. This Chapter will also illustrate and classify typical attacking models, including monitoring, password cracking, exploit, scanning, malicious code, denial of service social engineering and any other defensive ways, where encryption, authentication, access control, auditing, monitoring and scanning are concluded as shown in Fig double framed blocks. And then have the conclusion of still un-solved problems, including unknown exploit, denial of service and social engineering. 45

46 IDS Attack Gather Information Intrusion Crack Target Monitoring Scanning Social Engineering Direct Indirect Malicious code, Virus DoS Password cracking Security holes Malicious code, Backdoor Protect Prevent Control Detect Record Encryption Authentication Access Control Monitoring Scanning Auditing Figure 7-29 Type Tree of Intrusion and Protection Intrusion To ensure Network Security in inner enterprise, first we need to understand nowadays attacking methods on Internet, so that proper adjustment can be made while under attack, or even prevent it from happening. In this section, we will illustrate attacking methods enterprise might encounter and classify those methods. Seven methods of attacking have been selected, monitoring, password cracking, exploits, scanning, malicious code, denial of service, and social engineering. Generally speaking, attacking methods may come in three types, gather information, intrude and destroy. Gathering information means obtaining critical or private information, including monitoring, scanning and social engineering. Directly intruding means easy access to and then enters the whole system, such as password cracking. On the other hand, indirectly intruding means to get authorized by using other methods, such as malicious code and backdoor programs. Destroying means to cause damage or deny of an online service, such as virus or denial of service. Also, intruding can be regarded as following three steps, gathering information, intruding and after-intruding process. As shown in Fig. 7-30, gathering information suggests getting all related information of object as much as possible, such as host IP address/port, service it provides, user ID inside or even user password or 46

47 administrator s password. Then intruding, enter the host directly with user s password or by any exploits. After succeeding in entry, it follows afterwards operation, including clear any existing record of breaking in to prevent breaking-in evidence and perform the backdoor program for next time entry. Gather Gather Information Information Intrude Intrude Embed backdoor Embed backdoor for next coming for next coming Get Get Information Information Crack Crack target target Clear log Clear log Figure 7-30 Intrusion Procedure Monitoring It means gathering information by monitoring computer system or packets. Monitoring not actually involves truly destructive attacking, but often is done for preparation. Hacker will obtain rights, password or even user password by monitoring. Two types of monitoring will be described including, sniffing and snooping. Sniffing Sniffing suggests intercepting packets to access the information via local area networks. Normally, host only accepts packets, which is destined to the host, but through the changeable Network Adapter modes, the host will be able to accept all the packets through it, such as Ethernet promiscuous mode. Sniffer is named for this sort of attack. Sniffer is one of the programs, and it is a program that works under UNIX; the latest version is beta. It can monitor 47

48 packets by different locations, ports, destination addresses, and be able to choose whether it records the result of just simply directs the result to other terminals. Meanwhile, CERT has received a new feedback from latest attacking program, named Distributed Network Sniffer, and it contains server and client ends. Attacker invades the host on Internet and installs client program. Then use client to monitor all the packets, analyzing user ID and password, lastly sends those data to server. Figure 7-31 describes the situation. Recently client program is under Linux OS and it submits user ID and password through port 21845/udp. It s extremely powerful, as only as one of the hosts is intruded and the host installs client. Host of all areas can be entirely intruded. LAN LAN Client Client Server Server LAN LAN Client Client Figure 7-31 Distributed Network Sniffer Snooper System monitoring means monitoring memory, disks, or other stored data in order to gain information inside the host. For instance, monitoring system s memory to observe or record which buttons user has used. Attacker may use this method to get users or other hosts communicating behavior or data to intrude other hosts later. Snooper usually uses a pack of backdoor programs. We will describe backdoor program in malicious code as well as functions of system monitoring. 48

49 Password Cracking Password cracking means crack the password by performing programs or other methods. It has two ways to achieve its goal, by guessing or using brute force to figure out every possible password. By guessing, it might require a dictionary file. This password could be UNIX user s password, or a decoding password. This kind of attack will focus on UNIX password to ensure user ID. If password of root is cracked, attacker will take control of host, and, UNIX password often provides remote-access function. Therefore attacker might take control host form anywhere. Programs of this kind vary. It requires a system file where user s ID and encoded password are stored to crack the password. Just like password in UNIX and SAM of Windows NT. Cracking program means with the use of system file, attacker tries to guess about the password. If accessing to host for password without using the system file, it is quiet possible the host will record attacker s position, and normally system only allows a certain amount of errors. Time of cracking depends on speed of system and complication of password. It will take less time if the system is very fast and the password is easy to guess. L0phtCrack is a program of this type. It can crack the password under Windows NT; it s a program performing under Windows system, with its latest version of Not only it will crack passwords in Windows NT by using SAM to access to encoded user password, but it will have the access to user password by other two ways; registry and interception SAM packets in network. Registry system stores encoded user password, while L0phtCrack allows access to encode password of user from registry. If the user doesn t register from PDC to NT domain, L0phtCrack will send out SAM packets for identification in PDC. L0phtCrack could intercept SAM packets passing through L0phtCrack host, and distilled the encoded password form SAM packets Exploits Exploits are designed, practiced or operated errors in programs or software. Attacker may use them to obtain information, system administrator authority or crack the system. Numerous programs or software exists on the world, and each may cause errors; even no error occurs in designing or practicing. User s operation error is still possible. Therefore, number of exploits may be extremely huge. 49

50 Buffer overflow is the most common error and it is the reason why that frequently happened. The cause of buffer overflow is to put data to buffer, in which the size of data is larger than the capacity of buffer. If user puts 101 bytes data to a claim-100-byte array, it will result in extra data overwrite other variables. Normally it ends due to program error. Within appropriate put data, user may use the exploit of buffer overflow to perform his own program. As Fig.7-32 shown is an example of the exploit of buffer overflow. void called() {... char buffer[200];... } Put more data to buffer then cause buffer overflow and point to the cracked file address stack pointer buffer (200 bytes) stack pointer buffer (200 bytes) return address cracked file address Figure 7-32 Distributed Network Sniffer When the called() function is called, operating system will set up a stack for the function. In the above example, user just needs to put in appropriate data, which includes necessary codes, size of data needs to cover the returning address or leads to the address the execution program located. When it finishes performing, under a normal situation, it will return to the calling function. Due to buffer overflow and in-put data, the program attacker put will be performed. There are two main types of exploit including, Remote Exploits and Local Exploits. Remote Exploits Hacker may intrude remote systems to get unauthorized data, user s ID and password or system administrator authority by remote exploits, even though hacker does not have authorized user ID of the remote system. Since target is the remote system, such exploits usually take place in on-line service providing program or 50

51 software. For example sendmail, it is the most commonly used mail server in UNIX, and is the most famous example of remote exploit. Latest version of sendmail is , and it has been updated for many times. Former version has some kinds of exploits and most of that are buffer overflows, in which hacker performs his program with the right of system administrator. As latest remote exploits, those exploits caused by Redhat 6.2 Linux operating errors and wu-ftpd buffer exploits will come to mind. In Redhat 6.2, a pack named Piranha, it mainly works on web clustering, and at the same time, it includes web-based GUI to manage the web clustering. The software will come out with a default user ID piranha with password q while after installing. If the system operator installed such a system without changing the default account, hacker may apply this user ID to any program. So far, users of Redhat have chosen the option of full install without knowing changing default password, which result in the remote exploits. The software of wu-ftpd is also the most commonly used FTP server under UNIX systems, in which have discovered an exploit of likely buffer overflow. It occurs in the function of *printf() in the command of site exec. Hacker may use formatted string to overwrite the return address to get the effect of likely buffer overflow. Table 7.1 shows several remote exploits can access to the operator s password. (Reference: Security Focus ) Table 7-1 可 Some remote exploits to obtain the administrator s rights Exploits Application Version Reason phf Remote Command Execution Vulnerability Apache Group Apache Input Validation Error Multiple Vendor BIND (NXT ISC BIND Buffer Overflow Oveflow) Vulnerabilities MS IIS FrontPage 98 Extensions Microsoft IIS 4.0 Buffer Overflow Buffer Overflow Vulnerability Univ. Of Washington imapd Buffer University of Washington Buffer Overflow Overflow Vulnerability imapd ProFTPD Remote Buffer Overflow Professional FTP proftpd 1.2pre5 Buffer Overflow Berkeley Sendmail Daemon Mode Vulnerability Eric Allman Sendmail Input Validation Error RedHat Piranha Virtual Server RedHat Linux 6.2 Configuration Error Package Default Account and Password Vulnerability Wu-Ftpd Remote Format String Stack Overwrite Vulnerability Washington University wu-ftpd 2.6 Input Validation Error 51

52 Moreover, another example of remote exploit is the protocol-based attack. TCP/IP is the primary protocols for Internet, so hosts in Internet need to use the TCP/IP protocol to communicate with other hosts. The protocol-based attack tries to attack remote host by TCP/IP errors, poor design of TCP/IP or unclear definition of TCP/IP. Such as IP spoofing might be used to attack Address-based authentication system, in which hacker intrudes system by spoofing the destination IP address as acceptable address by the system. Most of such destructive attacks will describe in the denial of service in the following section. Local Exploits In the attack of local exploits, hacker acquires unauthorized data or higher priority authority such as administrator s password, while attacker already has user ID on this system. This kind of exploits usually occurs on the design of privileged program or implementing errors. Xterm is a Terminal Emulator in the X Window system. In early version, local exploit had been found some local exploits of buffer overflow. If the system replaces Xterm with SUID root, attacker might get the administrator authority with the exploits Scanning The attack of scanning is to scan a target system to gather some information of it. In fact, scanning is just like monitoring. Both of them do not attack and intrude the target system, but prepare for the afterward attacks. Attacker gains wanted information by scanning, such as service-providing programs, opened ports or even finding exploits by comparing scanning information with existing exploits. Two types of scanning include Remote Scanning and Local Scanning. Remote Scanning Remote scanning is to scan a remote target system to gather some information including, host name, open-service, service-providing program, and possible remote exploits. Its representative is Security Administrator s Tool for Analyzing Networks (SATAN), which is running under UNIX system. The latest version is in 1995 and lasts until now. Latter remote scanning program is SAINT, which is the updated 52

53 and strengthened version of SATAN; latest version at this moment is 2.1.2, another remote scanning program under UNIX, using client/server framework and adopting the www as the client s interface. Local Scanning Local scanning is to scan a local target system to gather some information including, significant system files with questioned authorization, questions privileged program and possible exploits within host itself. Its representative is COPS, a program running under UNIX; however, it never really has is latest version. TIGER is another program of local scanning and works under UNIX. The latest version is 2.2.4p1, still under constructing Malicious Code The attack of malicious code is that the hacker attacks a target system via some external device or networks. External device might be floppy, CD-ROM, hot plug-in hard disc or other possible media. This kind of attack usually happens after invading successfully. Two types of malicious code include virus and backdoor programs. Virus Virus characteristics are self-replicating and destructive. This attack means putting the virus into a target system, then attacks the target and infects other systems. Internet Worm is the most famous virus, which is developed by Robert T. Morris. The attack of Internet Worm is quiet easy, i.e., replicating itself to achieve the goals of infecting and destructive. It all begins with a host. First, it checks the local target system for whether it has outside connections. If yes, virus replicates itself and sends it to the outside host. Second, the virus replicates itself to increase the number of virus. Once the amount of Internet Wrom is too large to control, the system will stop working. Recently, Code Red and Nimda are also taking much of public attention. It is a new virus, which adopts so-called attack of Distributed Denial-of-service (DDoS). It attacks the un-infected Microsoft IIS system with infected Microsoft IIS. Since vast infection, it causes a waste of large bandwidth in Internet and results in that the servers cannot accept normal request. Therefore, the attack of DDoS only takes a few days to spread all over the world and results in serious traffic jam in networks. 53

54 Backdoor codes The attack of backdoor codes usually takes after invading successfully. For convenient intruding the same target next time, hacker adopts backdoor codes for this purpose. Early backdoor codes are easy access for hacker in next time intrusion, which usually set up under UNIX systems. Nowadays backdoor program shows up in Window systems and has the fully control of operating system. Take Back Orifice 2000 (BO2K) for example, it is a backdoor program under Window environment. It could take full control of system, which has already installed BO2K, via TCP or UDP connection. It also supports functions of file transfer, monitoring, and recording the user operation. Furthermore, it can be added with additional plug-in program to widen its function, such as sending an to attacker while the hacker host has connected to Internet Denial of Service The attack of denial of service is not to invade nor gain information, but blocking out of service, which is provided by normal operation server. Hence, user will not be accessible to the provided service. Most of this attack is separated from system exploits, especially from remote exploits and its another protocol-based attack. Exhausted limited resources are the primary function of such a denial of service attack, so the service will be impossible to carry on. Such as the TCP SYN flood attack is to fill all the waiting queues of attacker host, and the ICMP echo reply flood attack is to exhaust all the bandwidth of the target host. In the case of TCP SYN flood attack, since TCP adopts three-way handshaking to setup a connection, attacker calls out continuous SYN packets to fill in non-existing or incorrect address, the victim target system will not receive ACK packets of requiring. That results in full waiting queues, which cannot accept other connections again. In the case of ICMP echo reply flood attack, hacker simultaneously produces very large amount of ICMP echo request to the target system. Since the target system will reply the same amount reply back to ICMP echo requesters, the very large amount of ICMP packets will block the network bandwidth completely. There is some new mode of distributed attack of DoS, which is extended from DoS. As Fig shown is an example of DDoS attack. Hacker controls some handler from client end and each handler control several agents. Once hacker sends 54

55 attack command to all agents via all handlers, a large amount of attacks will take at the same time. Moreover, communications between hacker and handler is encrypted. Attacker port 27665/TCP command Master Master request: port 27444/UDP reply: port 31335/UDP command command 1. UDP flood attack 2. TCP SYN flood attack 3. ICMP echo request flood attack 4. M attack 5. Targa3 attack Agent attack Agent attack Agent Target Target Target Target Figure 7-33 Distributed Denial of Service (DdoS) Trinoo is a client/server denial-of -service attacking program, which is based on the UDP flood attack. Attacker sends out large amount of UDP packets (which is probably spoof address to avoid tracking) to victim system, which will result in traffic jam or even stop the service. A Trinoo program includes several masters and more numerous daemons. Attacker firstly connects to the master and orders an attacking command with several important parameters, such as IP addresses of targets, when to take the attack, and other attack parameters. After receiving an order at master, master will connect to all the daemons. Then all daemons take attack to all predefined victim systems. Attacking steps are as follows. 1. Attacker connects to master: using port27665/tcp. 2. Master connects to daemons; using port 27444/UDP. 3. Daemons responds to master: using 31335/UDP. 4. Attack of daemon program towards victim systems: using UDP flood attacks. 55

56 Other DDoS programs examples are TFN and TFN2K that are very much alike the same hierarchy. They differ in amount of attacking types Social Engineering The attack of social engineering is not by system or Internet. An example of that is the attacker sends an or calls to the user and claims he is the system operator for testing or other reasons to ask the user replying his authorized information. Social engineering also includes peeking for password while hacker is behind user s back Typical Defense After describing the attack methods, we introduce several defense methods in this section. More defenses more secure. We concludes six models of defense, including Data Encryption, Authentication, Access Control, Auditing, Monitoring, and Scanning. The six models can be extracted into four types, i.e., prevention, control, detection, and record. Prevention means keeping away form attacker, e.g., data encryption. Control adopts authentication and access control to take control of unauthorized user getting unauthorized password/id. Detection means detecting any attacks, such as monitoring and scanning. Record means recording after-attack messages to track attackers, such as auditing. Tablet 7-2 includes most common used protection applications and software. Data encryption has been described in section 7.2.1, authentication in section 7.2.2, and access control in section 7.3. Therefore, auditing, monitoring and scanning will be described as follows. Table 7-2 Protection application and software Types of Defense Software URL Data Encryption PGP SSH Access Control Firewall-1 Ipchains TCP Wrappers ftp://ftp.porcupine.org/pub/security/index.html Portmap ftp://ftp.porcupine.org/pub/security/index.html Xinetd 56

57 Monitoring Tripwire RealSecure Scanning Pc-cillin Auditing Auditing records security-related events that will be saved in some files or log files. The audited events include record of logging in, number of failure login, or some important activities. Such log files are useful to track and analyze who or which system takes the attack while this system is under attacking. Hence, the administrator can protect system to avoid the same attack in the future. Present operation systems usually provide auditing functions, such as the system file of wtmp of UNIX. The wtmp file records all login and logout states of all users. In Microsoft Windows systems, Event Viewer performs the same function of auditing Monitoring Monitoring defense monitors system or Internet if any abnormal activities take place. Such as monitoring by some user s continuous logging failure then detect attacker tries to intrude the system. While detecting attack, system will respond by the following processes: 1. Call the system operator by sending an , pager or alarm. 2. Stop system or related services to reduce possible damage. 3. Try to track attacker. System may be using attack signature to have a clue of attacker s type, in order to track him. There are two types of monitoring including Network-based monitor and Host-based monitor. Network-based monitor can be monitoring if any abnormal Internet activities in network hosts. It intercepts packets by enable the promiscuous mode of network interface card (NIC), then analyzes any weird influence on host and reacts appropriately. Network-based monitor could detect part of denial of service attacks, such as TCP SYN flood attack. Network-based monitor could monitor SYN packets. Once finds out the source of SYN is illegal, it will send a RST packets to under-attack host and stops it from waiting impossible feedback. Host-based monitor could monitor any abnormal behavior, such as outside host connection request, user logging situation, activities of system operator and file systems. If abnormal activities are detected, host-attack monitor will respond properly. 57

58 RealSecure and Tripwire are defensive programs of this type. Tripwire will have important files functioned and have the result saved in database. Tripwire will exam significant files regularly, compare these important files to database, if those files have been modified, results will vary. Therefore, Tripwire can be used to monitor significant file within systems Scanning Scanning here differs from scanning in defense model. Scanning means by using know patterns to scan if any malicious code in system, i.e., virus or backdoor programs. Normally anti-virus software is of this defense type. Scanning program detects malicious codes by well-known patterns, so user might regularly update virus patterns to detect malicious code Non-solution problems Figure 7-3 lists some typical defense methods to against typical attack methods. Encryption can prevent monitoring. Authentication can prevent attack of spoof source address in remote exploits. Access control can prevent scanning of attacker and part of exploit attack, and it reduces partial denial of service. Auditing may record exploits attack, scanning of attacker, malicious code, and denial of service. Scanning is used for detecting there exists some malicious code in systems. From Figure7-3, we understand that some security holes, denial of service and social engineering are un-solved problems still now. Table 7-3 Typical attack methods against typical defense methods Encryption Authentication Access Control Auditing Monitoring Scanning Monitoring Prevent Password cracking Security holes Prevent Decrease Record Detect Scanning Prevent Record Detect Malicious code Record Detect Detect DoS Decrease Record Detect Social Engineering Security holes mean un-disclosure holes, so there are not any patching programs 58

59 released. Since there is so many software or programs, it is impossible to prevent attacks via security holes. Nevertheless, an experienced programmer is able to reduce the number of security holes. In present, defense methods of using firewall can reduce possibility of denial of service, recording by auditing, or detecting attack by scanning program. Most of the addresses of attacking are spoof, so it is not much useful to keep the recorded data. For instance, a web server in Internet should accept any connection from any host in the world. It is difficult to distinguish that a connection is from normal user or hacker. Therefore, the attack of denial of service still cannot be resolved today. Finally, the attack of Social Engineering is also not able to obtain solutions, since the protection concept of everyone are different Open Source Implementation Snort is designed for the purpose of defense. It is a small detecting tool for Internet in order to monitor smaller TCP/IP network and to provide sufficient data for possible intrusion. More important, it is completely free and supports for every popular environment. Compared to tcdump, Snort has two advantages, i.e., detecting payloads of packet and providing friendly interface of packet analysis. Snort decodes application layer packets, which allows Snort to detect buffer overflow and some other forms of attack. Figure7-34 shows the operation result of Snort. Figure 7-34 Display of Snort 59