Security System and COntrol 1

Similar documents
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Unit 4: Firewalls (I)

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Basic Concepts in Intrusion Detection

Network Security. Chapter 0. Attacks and Attack Detection

Chapter 4. Network Security. Part I

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

CTS2134 Introduction to Networking. Module 08: Network Security

NETWORK SECURITY. Ch. 3: Network Attacks

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Wired internetworking devices. Unit objectives Differentiate between basic internetworking devices Identify specialized internetworking devices

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Raj Jain. Washington University in St. Louis

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Introduction to Security. Computer Networks Term A15

Configuring attack detection and prevention 1

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Attack Prevention Technology White Paper

Network Security. Course notes. Version

CSE 565 Computer Security Fall 2018

Firewalls, Tunnels, and Network Intrusion Detection

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Computer Network Vulnerabilities

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

2. INTRUDER DETECTION SYSTEMS

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Ethical Hacking and Prevention

Configuring attack detection and prevention 1

Chapter 10: Denial-of-Services

Chapter 10: Security and Ethical Challenges of E-Business

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Security and Authentication

Network Security. Thierry Sans

Computer Security: Principles and Practice

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Fundamentals of Network Security v1.1 Scope and Sequence

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

Denial of Service and Distributed Denial of Service Attacks

Computer and Network Security

Chapter 9. Firewalls

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Distributed Denial of Service (DDoS)

Configuring Flood Protection

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

CSE 565 Computer Security Fall 2018

Systems and Network Security (NETW-1002)

ELEC5616 COMPUTER & NETWORK SECURITY

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Chapter 7. Denial of Service Attacks

ECE 435 Network Engineering Lecture 23

A Review Paper on Network Security Attacks and Defences

Syllabus: The syllabus is broadly structured as follows:

2.1 A Primer on Network Sniffing Reconstructing TCP Streams Reconstructing Fragmented Packets 14

ASA/PIX Security Appliance

Certified Ethical Hacker (CEH)

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Denial of Service (DoS)

Broadcast Infrastructure Cybersecurity - Part 2

NETWORK THREATS DEMAN

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

CIH

Networks and Communications MS216 - Course Outline -

INTRODUCTION ON D-DOS. Presentation by RAJKUMAR PATOLIYA

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Network Security Protocols NET 412D

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Chapter 11: Networks

The Protocols that run the Internet

Education Network Security

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

IBM i Version 7.3. Security Intrusion detection IBM

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Distributed Systems. Lecture 14: Security. Distributed Systems 1

(2½ hours) Total Marks: 75

Transcription:

Security System and COntrol 1

Network Security

Reading list Recommended: www.cert.org Security System and COntrol 3

Internet Connectivity Advantage: private networks able to reach and communicate with the outside word Disadvantage: outside world can also reach and interact with the private network Security System and COntrol 4

Computing Networks: Advantages Resource sharing Distributed workload Increased reliability Expandability Security System and COntrol 5

Computing Networks: Disadvantages Increased risk of security violations Sources of security problems: Sharing: increased number of users System complexity: heterogeneous operating and control systems Unknown perimeter: shared nodes, new nodes Many points of attack: hosts and communications as a unit Anonymity: location and identity of attacker Unknown routing: delivery path of messages Security System and COntrol 6

Security Threat Analysis Local threats Local nodes Local communications Local storage Local devices Network related threats Network gateways Network communications Network control resources Network routers Network resources Security System and COntrol 7

Security Threats Interception of data in transit Access to programs or date at remote hosts Modification of programs or data at remote hosts Modification of data in transit Insertion of communications impersonating a user Insertion of a repeat of a previous communication Blocking a selected traffic Runninga program on a remote host Security System and COntrol 8

Web/Network Security Client Side What can the server do to the client? Fool it Install or run unauthorized software, inspect/alter files Server Side What can the client do to the server? Bring it down (denial of service) Gain access (break-in) Network Is anyone listening? (Sniffing) Is the information genuine? Are the parties genuine? Security System and COntrol 9

Packet Sniffing EVERY NETWORK INTERFACE CARD HAS A UNIQUE 48-BIT MEDIA ACCESS CONTROL (MAC) ADDRESS, e.g. 00:0D:84:F6:3A:10 24 BITS ASSIGNED BY IEEE; 24 BY CARD VENDOR Client Packet Sniffer Server NETWORK INTERFACE CARD ALLOWS ONLY PACKETS FOR THIS MAC ADDRESS PACKET SNIFFER SETS HIS CARD TO PROMISCUOUS MODE TO ALLOW ALL PACKETS THROUGH Security System and COntrol 10

Network Security Problem REMOVABLE MEDIA USER REMOTE LOCATION MODEM + TELEPHONE LOCAL AREA NETWORK INTERNET CONNECTION RADIO EMISSIONS BACKDOOR INTERNET CONNECTION WIRELESS USER ISP REMOTE USER VENDORS AND SUBCONTRACTORS SOURCE: CERT Security System and COntrol 11

Sophistication v. Intruder Knowledge SOURCE: CERT Security System and COntrol 12

Firewall A device placed between two networks or machines All traffic in and out must pass through the firewall Only authorized traffic is allowed to pass The firewall itself is immune to penetration Firewall Company Network Internet SOURCE: ADAM COLDWELL Security System and COntrol 13

Enterprise Access Security Internet Access Internet RSA Agent Firewall Web Server Enterprise Access RSA Agent Authentication Server RSA Agents Mainframe Enterprise RSA Agent RAS Intranet UNIX Remote Access SOURCE: RSA Security System and COntrol 14

Denial-of-Service Attacks Attack to disable a machine (server) by making it unable to respond to requests Use up resources Bandwidth, swap space, RAM, hard disk Some attacks yield millions of service requests per second Security System and COntrol 15

Ping Flooding Internet Attacking System(s) Victim System SOURCE: PETER SHIPLEY Security System and COntrol 16

Three-Way Handshake SYN ACK Client 1: Send SYN seq=x 2: Send SYN seq=y, ACK x+1 3: Send ACK y+1 SYN ACK Server SOURCE: PETER SHIPLEY Security System and COntrol 17

SMURF ATTACK ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply ICMP = Internet Control Message Protocol INTERNET 1 SYN PERPETRATOR VICTIM 10,000 SYN/ACKs -- VICTIM IS DEAD INNOCENT REFLECTOR SITES BANDWIDTH MULTIPLICATION: A T1 (1.54 Mbps) can easily yield 100 MBbps of attack SOURCE: CISCO Security System and COntrol 18

Distributed Denial of Service Attack INTRUDER INTRUDER SENDS COMMANDS TO HANDLERS VICTIM SOURCE: CERT Security System and COntrol 19

DDOS Attack SOURCE: CERT Security System and COntrol 20

DDOS Attack SOURCE: CERT Security System and COntrol 21

Rate Limiting Allows network managers to set bandwidth limits for users and by traffic type. Prevents deliberate or accidental flooding of the network 50 Mbps Rate Limiting for Different Classes of Users Network Manager Teachers 10 Mbps 2 Mbps Students SOURCE: CISCO Security System and COntrol 22

Virus executable code Code Attacks that attaches itself to other executable code (infection) to reproduce itself (spread) replicator+concealer+payload Rabbit, Worm program that makes many copies of itself and spreads them. Each copy makes copies, etc. Worm spreads via networks. Trojan Horse performs unauthorized activity while pretending to be another program. Example: fake login program Security System and COntrol 23

Virus Detection Some virus families have common characteristics Presence or absence of particular strings Antiviral software Only detects what it know how to detect. Must be upgraded regularly for new viruses. Symantec encyclopedia File virus Compare size with known backup copy. Presence of strings, like.exe Retrovirus Attacks or disables antivirus software Security System and COntrol 24

Network Attacks SOURCE: CERT Security System and COntrol 25

Security System and COntrol 26

Intro to Firewalls

Outline What is a firewall? Who needs a firewall? What are the OSI and TCP/IP Network models? What different types of firewalls are there? What are pros and cons of a firewall? What is iptables? Security System and COntrol 28

What is a firewall? Protects networked computers from intentional hostile intrusion. Junction point between two networks. A private and a public network. Earliest were simple routers. The term come from the concept of firewalls and firedoors in buildings. They limit damage that could spread from one subnet to another. Security System and COntrol 29

Hardware Firewall Security System and COntrol 30

Software Firewall Security System and COntrol 31

A Firewall Can filter traffic based on their source and destination addresses, port numbers, protocol used, and packet state. Cannot prevent individual users with modems from dialing in and out of the network. Cannot protect against social engineering and dumpster diving. Security System and COntrol 32

Who needs a firewall? Anyone who is responsible for a private network that is connected to a public network. Anyone who connects so much as a single computer to the internet via modem. Security System and COntrol 33

Basic Firewall Operation Security System and COntrol 34

The OSI and TCP/IP Models Security System and COntrol 35

Professional Firewall Model Security System and COntrol 36

Types of Firewalls Packet Filter Circuit Level Gateways Application Level Gateways Stateful Multilayer Inspection Security System and COntrol 37

Packet Filtering Firewall Security System and COntrol 38

Circuit Level Gateway Security System and COntrol 39

Application Level Gatway Security System and COntrol 40

Stateful Multilayer Inspection Security System and COntrol 41

Implementing your firewall Choose the access denial methodology. Determine inbound access policy. Determine outbound access policy. Determine if dial-in or dial-out access is required. (VPN) Decide whether to buy a complete firewall product or implement one yourself. Security System and COntrol 42

Access denial methodology Deny access by default Security System and COntrol 43

Inbound Access Policy May be simple NO ACCESS NAT NAT + protocol filtering Complex stateful multilayer inspection Security System and COntrol 44

Outbound Access Policy Open Access Per User outbound policy (Proxy) Security System and COntrol 45

Other Considerations Dial-in/out Buy a solution Hardware -- PIX, Sonicwall, WatchGuard Software -- CheckPoint, ISA, Boarder Manager Build a solution Linux -- IPTables BSD -- IPFW, IPFilter, pf Security System and COntrol 46

IPTables In Linux 2.2 can limit spoofed packets. In Linux 2.4 can check for suspicious packets with unclean extension. Also can check for malformed or non-standard packets. Can check all TCP Flags. (NEW) Security System and COntrol 47

IPTables Can filter on MAC address. Can match TCP or UDP packets based on a series of source and destination ports. (NEW) Can return packets with original destination info. (NEW) Security System and COntrol 48

IPTable Targets Has IPChains: REJECT, DENY, ACCEPT MIRROR TOS, MARK MASQUERADE, DNAT, SNAT, REDIRECT Security System and COntrol 49

IPTables Stateful Inspection Associate all the packets of a particular connection with each other. Tries to make sense out of the higher level protocols: NFS, HTTP, FTP Can be used to block port scans or malicious hack attempt. Dynamic allocation of arbitrary ports used by many protocols for data exchange. Security System and COntrol 50

IPTables Stateful Inspection States NEW RELATED INVALID ESTABLISHED RELATED+REPLY Security System and COntrol 51

IPTable Address Translation New additions DNAT : Destination address NAT SNAT : Source address NAT REDIRECT : DNAT that alters the destination to localhost Security System and COntrol 52

Security System and COntrol 53

Intrusion Control

Historical Research - Prevention It is better to prevent something than to plan for loss. Security System and COntrol 55

Misuse Prevention Prevention techniques: first line of defense Secure local and network resources Techniques: cryptography, identification, authentication, authorization, access control, security filters, etc. Problem: Losses occur! Security System and COntrol 56

Contributing Factors for Misuse Many security flaws in systems Secure systems are expensive Secure systems are not user-friendly Secure systems still have flaws Insider Threat Hackers skills and tools improve Security System and COntrol 57

Need: Intrusion Prevention: protect system resources Intrusion Detection: (second line of defense) discriminate intrusion attempts from normal system usage Intrusion Recovery: cost effective recovery models Security System and COntrol 58

Why Intrusion Detection? Second line of defense Deter intruders Catch intruders Prevent threats to occur (real-time IDS) Improve prevention/detection techniques Security System and COntrol 59

Intrusion Detection - Milestones 1980: Deviation from historical system usage (Anderson) 1987: framework for general-purpose intrusion detection system (Denning) 1988: intrusion detection research splits Attack signatures based detection (MIDAS) Anomaly detection based detection (IDES) Security System and COntrol 60

Intrusion Detection - Milestones Early 1990s: Commercial installations IDES, NIDES (SRI) Haystack, Stalker (Haystack Laboratory Inc.) Distributed Intrusion Detection System (Air Force) Late 1990s -today: Integration of audit sources Network based intrusion detection Hybrid models Immune system based IDS Security System and COntrol 61

Terminology Audit: activity of looking at user/system behavior, its effects, or the collected data Profiling: looking at users or systems to determine what they usually do Anomaly: abnormal behavior Misuse: activity that violates the security policy Outsider: someone without access right to the system Insider: someone with access right to the system Intrusion: misuse by outsiders and insiders Security System and COntrol 62

Phases of Intrusion Intelligence gathering: attacker observes the system to determine vulnerabilities Planning: attacker decide what resource to attack (usually least defended component) Attack: attacker carries out the plan Hiding: attacker covers tracks of attack Future attacks: attacker installs backdoors for future entry points Security System and COntrol 63

Times of Intrusion Detection Real-time intrusion detection Advantages: May detect intrusions in early stages May limit damage Disadvantages: May slow down system performance Trade off between speed of processing and accuracy Hard to detect partial attacks Security System and COntrol 64

Times of Intrusion Detection Off-the-line intrusion detection Advantages: Able to analyze large amount of data Higher accuracy than real-time ID Disadvantages: Mostly detect intrusions after they occurred Security System and COntrol 65

Audit Data Format, granularity and completeness depend on the collecting tool Examples System tools collect data (login, mail) Additional collection of low system level Sniffers as network probes Application auditing Needed for Establishing guilt of attackers Detecting subversive user activity Security System and COntrol 66

Audit-Based Intrusion Detection Audit Data Profiles, Rules, etc. Intrusion Detection System Decision Need: Audit data Ability to characterize behavior Security System and COntrol 67

Anomaly versus Misuse Non-intrusive use Intrusive use Looks like NORMAL behavior False negative Non-anomalous but Intrusive activities False positive Non-intrusive but Anomalous activities Does NOT look Like NORMAL behavior Security System and COntrol 68

False Positive v.s. False Negative False positive: non-intrusive but anomalous activity Security policy is not violated Cause unnecessary interruption May cause users to become unsatisfied False negative: non-anomalous but intrusive activity Security policy is violated Undetected intrusion Security System and COntrol 69

Intrusion Detection Techniques 1. Anomaly Detection 2. Misuse Detection 3. Hybrid Misuse/Anomaly Detection 4. Immune System Based IDS Security System and COntrol 70

Statistical techniques: Rules and Profiles Collect usage data to statistically analyze data Good for both anomaly-based and misuse-based detection: Anomaly-based: standards for normal behavior. Warning when deviation is detected Misuse-based: standards for misuse. Warning when phases of an identified attack are detected Threshold detection E.g., number of failed logins, number of accesses to resources, size of downloaded files, etc. Security System and COntrol 71

Rule-based techniques: Rules and Profiles Define rules to describe normal behavior or known attacks Good for both anomaly-based and misuse-based detection: Anomaly-based: looks for deviations from previous usage Misuse-based: define rules to represent known attacks Security System and COntrol 72

Anomaly Detection Techniques Assume that all intrusive activities are necessarily anomalous flag all system states that very from a normal activity profile. Security System and COntrol 73

Need: Anomaly Detection Techniques Selection of features to monitor Good threshold levels to prevent false-positives and false-negatives Efficient method for keeping track and updating system profile metrics Update Profile Audit Data System Profile Deviation Attack State Generate New Profile Security System and COntrol 74

Misuse Detection Techniques Represent attacks in the form of pattern or a signature (variations of same attack can be detected) Problem! Cannot represent new attacks Security System and COntrol 75

Misuse Detection Techniques Expert Systems Model Bases Reasoning State Transition Analysis Neutral Networks Audit Data Timing Information Modify Rules System Profile Add New Rules Rule Match Attack State Security System and COntrol 76

Hybrid Misuse / Anomaly Detection Anomaly and misuse detection approaches together Example: 1. Browsing using nuclear is not misuse but might be anomalous 2. Administrator accessing sensitive files is not anomalous but might be misuse Security System and COntrol 77

Immune System Based ID Detect intrusions by identifying suspicious changes in system-wide activities. System health factors: Performance Use of system resources Need: identify system-wide measurements Security System and COntrol 78

Immune System Based ID Principal features of human immune system that are relevant to construct robust computer systems: 1. Multi-layered protection 2. Distributed detection 3. Diversity of detection 4. Inexact matching ability 5. Detection of unseen attacks Security System and COntrol 79

Doorknob rattling Masquerade attacks Diversionary Attack Coordinated attacks Chaining Loop-back Intrusion Types Security System and COntrol 80

Doorknob Rattling Attack on activity that can be audited by the system (e.g., password guessing) Number of attempts is lower than threshold Attacks continue until All targets are covered or Access is gained Security System and COntrol 81

Change identity: I m Y Login as X Target 1 Masquerading Login as Y Target 2 Y Legitimate user Attacker Security System and COntrol 82

Diversionary Attack Create diversion to draw attention away from real target TARGET Real attack Fake attacks Security System and COntrol 83

Coordinated attacks Attacker Target Compromise system to attack target Multiple attack sources, maybe over extended period of time Security System and COntrol 84

Attacker Chaining Move from place to place To hide origin and make tracing more difficult Target Security System and COntrol 85

Intrusion Recovery Actions to avoid further loss from intrusion. Terminate intrusion and protect against reoccurrence. Reconstructive methods based on: Time period of intrusion Changes made by legitimate users during the effected period Regular backups, audit trail based detection of effected components, semantic based recovery, minimal rollback for recovery. Security System and COntrol 86

Security System and COntrol 87

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback