Introduction.

Similar documents
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Internet Security: Firewall

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

CSE 565 Computer Security Fall 2018

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Network Security. Thierry Sans

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

CTS2134 Introduction to Networking. Module 08: Network Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Curso: Ethical Hacking and Countermeasures

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Network Security. Justin Weisz Networks Fall

Chapter 8 roadmap. Network Security

Home Computer and Internet User Security

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Ethical Hacking and Prevention

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Networks and Communications MS216 - Course Outline -

Computer Security and Privacy

Computer Network Vulnerabilities

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Venusense UTM Introduction

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Security and Authentication

Endpoint Security - what-if analysis 1

CS System Security 2nd-Half Semester Review

Lecture 12. Application Layer. Application Layer 1

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Unit 4: Firewalls (I)

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Firewalls 1. Firewalls. Alexander Khodenko

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Penetration Testing with Kali Linux

A policy that the user agrees to follow before being allowed to access a network.

CyberP3i Course Module Series

Chapter 4. Network Security. Part I

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Certified Ethical Hacker (CEH)

Legal and notice information

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

The Protocols that run the Internet

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

20-CS Cyber Defense Overview Fall, Network Basics

e-commerce Study Guide Test 2. Security Chapter 10

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

GCIH. GIAC Certified Incident Handler.

COSC 301 Network Management

NIP6000 Next-Generation Intrusion Prevention System

CSE 565 Computer Security Fall 2018

Web Security. Outline

Cyber Security Practice Questions. Varying Difficulty

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Training UNIFIED SECURITY. Signature based packet analysis

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

2 ZyWALL UTM Application Note

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Network Security. Course notes. Version

ECE 435 Network Engineering Lecture 23

Distributed Systems. Lecture 14: Security. Distributed Systems 1

CS System Security Mid-Semester Review

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

Distributed Systems. Lecture 14: Security. 5 March,

Configuring Access Rules

Snort Rules Classification and Interpretation

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Broadcast Infrastructure Cybersecurity - Part 2

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Last time. Trusted Operating System Design. Security in Networks. Security Features Trusted Computing Base Least Privilege in Popular OSs Assurance

Network Security Issues and New Challenges

Why Firewalls? Firewall Characteristics

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

2. INTRUDER DETECTION SYSTEMS

Hands-On Ethical Hacking and Network Defense 3 rd Edition

Strategic Infrastructure Security

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Chapter 10: Denial-of-Services

Cyber Criminal Methods & Prevention Techniques. By

HP High-End Firewalls

CSE 565 Computer Security Fall 2018

Chapter 7. Denial of Service Attacks

VG422R. User s Manual. Rev , 5

ASA/PIX Security Appliance

Unit 2 Assignment 2. Software Utilities?

Transcription:

Introduction thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/

Content Introduction Identifying Risks Taxonomy of Possible Attacks Security Fundamentals and Defense Components

Attack sophistication vs. intruder technical knowledge from: Howard F. Lipson. Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues. Technical report, CERT Coordination Center, November 2002.

Attackers Lonely attackers Social background Publicity is impulsion Might want to set a political statements Usually take low risk Organized crime Money as impulsion Medium risks Terrorists Politically or socially motivated Take highes risk up to danger of life Destruction / confusion Competitors Want low risk of unveiling, depending of worth of information Information theft or destruction Governmental organizations Industrial espionage for the sake of domestic companies Military espionage

Most dangerous attacks http://www.sans.org/top20/ Unix problems as of June 2006: Computer Associates License Manager Overflows (CVE-2005-0581, CVE- 2005-0582, CVE-2005-0583) Novell edirectory imonitor and ZENWorks Buffer Overflows (CVE-2005-2551, CVE-2005-1543) Computer Associates Message Queuing Vulnerabilities (CVE-2005-2668) Sun Java Security Vulnerabilities (CVE-2004-1029, CVE-2005-0418, CVE- 2005-0836, CVE-2005-1973, CVE-2005-1974) HP Radia Management Software Overflows (CVE-2005-1825, CVE-2005-1826) Snort BackOrifice Preprocessor Buffer Overflow (CVE-2005-3252) RSA SecurID Web Agent Overflow (CVE-2005-1471)

Attacks and goals of an attacker Information theft resulting in Advantage in competition Embarrassment Extortion Destruction resulting in Fun and self glorification Political statements

Attacks against a computer Information gathering Information will be send to an attacker Network attached computers are obviously at much higher risk Attacker needs to gain access through: Social engineering Viruses / trojans / worms Physical theft of storage media Sniffing

Attacks against a computer Information destruction Information will be lost Physical attacks / fire / natural disasters Intended deletions Performed via: Social engineering Viruses / trojans / worms

Attacks against a computer Viruses File infection System and boot record infection Macro viruses Functions: Destruction Confusion Publicity

Attacks against a computer Worms Mailing worms spreads through e-mail Payload might be a virus / trojan Example: Melissa Network worms spreads through exploiting know software flaws, such as buffer overflows Stages: Target Selection Exploit Infect Spread / Propagate Example: SQL Slammer

Attacks against a computer Trojans Malicious software hides inside useful software Functions might be: Logging Destroying Installation of further software, such as DoS clients or root kits Conditional start of processes / time bomb Examples: Back Orifice

Attacks against a computer Denial of Service Attacker wants to overload a service provided by a computer or device Attacks against competitors or as a polical / social statement Bad requests are not distinguishable from normal ones Examples: HTTP DNS DoS SYN Flooding

Attacks against a computer Distributed Denial of Service Increased impact by distributing the attack Attacker controls Target server Daemon nodes ( zombies )

Attacks against a computer Spoofing Attacker claims someone else s identity Usually attacker and target have to share a network segment Attacker might deliver false information Routes Names Basically all protocol s responses are potentially subject of spoofing Examples: MAC spoofing IP spoofing DNS spoofing

Attacks against a computer Session highjacking Attacker breaks into an existing session without the need to log in Examples: telnet http ftp pop / imap / smtp

Attacks against a computer WWW attacks Cross side scripting Cookie tampering Attacks against the HTTP server Parameter tampering Session hijacking

Attacks against a computer Password / key attacks Brute force Guessing / dictionary attacks Flaws in implementation e.g. passwords saved as plain text

Attacks against a computer Port / network scanning Attacker wants to gain further information about the structure of the network Sniffing Mapping Port scans Management protocols such as SNMP or ICMP

Attacks against a computer Security scanning Attacker wants to gain further information about installed software which has known exploits Looking for certain versions of server processes / daemons HTTP scan FTP scan

Taxonomies M. Bishop and D. Bailey. A critical analysis of vulnerability taxonomies, September 1996. Matt Bishop. A Taxonomy of (Unix) System and Network Vulnerabilities. Technical Report CSE- 9510, Department of Computer Science, University of California at Davis, May 1995. Richard Bisbey II and Dennis Hollingworth. Protection Analysis: Final Report. Technical report, University of Southern California, May 1978 R. P. Abbott, J. S. Chin, J. E. Donnelley, W. L. Konigsford, S. Tokubo, and D. A. Webb. Security Analysis and Enhancements of Computer Operating Systems. Technical Report NBSIR 76 1041, Institute for Computer Sciences and Technology, National Bureau of Standards, April 1976.

A Taxonomy - Dimensions By category Virus, Worm, Trojan, Buffer Overflow, DoS, Network attack, Physical attack, Password attack, Information gathering By target being attacked Hardware Computer harddiscs, Cabling, Peripheral devices Software Applications, Operating systems Network Protocols By exploit being used for the attack By payload of the attacking protocol By damage caused By costs of the attack By propagation of the attacking program

History 1978 term worm used by Xerox PARC 1981 first virus (for Apple II OS) 1983 first formal use of the term virus 1995 first DoS attack 1999 first DDoS attack

Security Components Packet filter Stateful firewall Intrusion Detection System VPN gateways Border routers Internal networks Demilitarized zones

Security Components Packet filter Static packet filters inspect network packets Source address Destination address Ports (TCP / UDP for instance) Type of packet Decides whether a packet can pass the filter or will be dropped Examples: Smurf attack : ICMP echo request packets (ping) with false source address send to internal broadcast addresses Used February 2000 against Yahoo! and CNN

Security Components Packet filter Faster than stateful inspection On the fly Function integrated in routers Linux iptables realizes packet filtering

Security Components Stateful firewalls Most common type of firewalls Keep track of connections / sessions Know the state-machines of stateful protocols Simpliest type are connection tracker packets are accepted if they belong to an open connection connection requests (TCP: SYN) will be accepted from the internal network Example / Exercise: nmap ACK scan passes non-stateful firewalls (considered to be answers to responses), but will be stopped at stateful firewall (http://www.insecure.org/nmap/)

Example [root@titan ~]# nmap -A -T4 139.30.241.7 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-26 17:16 CEST Interesting ports on ruri.informatik.uni-rostock.de (139.30.241.7): (The 1653 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.8.1p1 Debian-8.sarge.4 (protocol 2.0) 53/tcp open domain 80/tcp open http Apache httpd 2.0.54 ((Debian GNU/Linux) DAV/2 PHP/4.3.10-16 mod_ssl/2.0.54 OpenSSL/0.9.7e) 110/tcp open pop3 143/tcp open imap? 443/tcp open ssl/http Apache httpd 2.0.54 ((Debian GNU/Linux) DAV/2 PHP/4.3.10-16 mod_ssl/2.0.54 OpenSSL/0.9.7e) 608/tcp open rpc.unknown 993/tcp open imaps Cyrus imapd 995/tcp open ssl/pop3 Cyrus pop3sd 6667/tcp open irc Unreal ircd MAC Address: 00:90:27:1C:02:86 (Intel) Device type: general purpose Running: Linux 2.4.X 2.5.X 2.6.X OS details: Linux 2.4.18-2.6.7 Uptime 44.804 days (since Fri May 12 22:01:52 2006) Nmap finished: 1 IP address (1 host up) scanned in 158.194 seconds [root@titan ~]#

Security Components Proxy firewalls Alternative to stateful firewalls Least common type Block any non-established, non-permitted connections Internal and external hosts never communicate directly Proxy works on behalf of both sides Examine entire packet to ensure that only protocol-compliant traffic passes Example: HTTP proxy Internal client sends request to proxy proxy requests URL from external server External server responses Proxy sends own response to internal client

Security Components Proxy firewalls Attack example: Attacker sends HTML e-mail with embedded images Users open e-mail Images will be loaded from webserver Webserver harvests browser data Manipulated images and software flaws might be another threat Other functions: Prevent user from seeing pornographic material Protect (to a certain extend) information from being send to outside site Combination with other systems (virus filter, spam filter, IDS, filter for know attack patterns)

Security Components Intrusion Detection Systems Identification of attacks / suspicious traffic Help to setup / configure firewalls

Security Components Virtual Private Networks VPNs create a common address range VPNs protect communications over unprotected networks as it would happen within a single network Mutual authentication of communication partners VPNs offer significant cost savings over dedicated connections Examples: Employee works at home and connects to the company network Threats: VPNs bypass all perimeter security mechanisms VPN users might connect to personal connections

Security Components Zones demilitarized zones DMZ screened subnets Small network containing public services such as HTTP DMZ are often protected by firewalls etc. DMZ are outside the internal network DMZ are considered to be more insecure than the internal network Screened subnets are isolated networks inside the internal network Well fortified services inside the isolated network Examples: Subnet for mobile computers Subnet for public services Subnet with WLAN

Security Components Internal Network Limited acccess to external network via well known gateways only People accessing the internal network are usually more trustworthy, but not necessarily Internal attack risk depends on: The number of users Trust in users The way users access the network (notebook computers?) Skills of users Conclusion: hosts have to be protected Personal firewalls Anti-virus software Configuration

Summary There are several severe types of attacks Attackers have different motivation and ressources Networked computers are at much higher risk Several components are necessary to protect network and computers Firewalls, IDS, VPN, DMZ are those components Don t forget the human factor!

Excercise for this lecture nmap examples

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback