ECE579S: Computer and Network Security 4: Network Security Issues

Spring 2011© 2000-2011, Richard A. Stanley

ECE579S/4 #1

ECE579S:Computer and Network Security

4: Network Security Issues

Professor Richard A. Stanley. PE


ECE579S/4 #2

Last time...• System design should be based on simplicity

and restriction• Developing secure systems is hard, but

security needs to be designed in, not bolted on later

• Covert channels are a serious problem, and steganography is the current method of choice


ECE579S/4 #3

Thought for the Day

“When computers (people) are networked, their power multiplies geometrically. Not only can people share all that information inside their machines, but they can reach out and instantly tap the power of other machines (people), essentially making the entire network their computer.”

Scott McNeely, CEO Sun Microsystems


ECE579S/4 #4

Threats and Vulnerabilities

• Threats are “just there”• Vulnerabilities occur due to design choices

we make along the way• They are not the same thing!• Risks occur at the intersection of threats

and vulnerabilities with the assets we are trying to protect


ECE579S/4 #5

Vulnerability Assessment

• What is it?• Why do we care?• Whose job is it?• How good a job do we have to do?• How can we describe vulnerabilities?

– OVAL

http://oval.mitre.org/


ECE579S/4 #6

Warning!

• In this lecture, we will discuss techniques for enumerating and attacking networks. This discussion is intended to help you understand how to protect networks, and is not a recommendation for or approval of this sort of activity.

• Under no circumstances should you scan or otherwise probe a network without the explicit authorization of its management. Doing so could violate U. S. Federal law (18 USC § 1030).


ECE579S/4 #7

How To Rob a Bank

• Just walk in and demand the money– Where is the bank?– How do you know there is any money?– Where to park the getaway car?– Are there any guards or surveillance devices?– Will you need a disguise?– What kinds of things might go wrong?– What if they say “NO?”


ECE579S/4 #8

Success Requires Planning

• Whether robbing a bank or breaching network security, you need to plan ahead

• Planning ahead is known as vulnerability assessment– Acquire the target (case the joint)– Scan for vulnerabilities (find the entry points)– Identify poorly protected data (shake the doors)


ECE579S/4 #9

Information in Plain Sight

• Lots of valuable information is just lying around waiting to be used– telephone directories– company organization charts– business meeting attendee lists– promotional material

• The Internet has made having a company web page the measure of being “with it”


ECE579S/4 #10

Target: FBI


ECE579S/4 #11


ECE579S/4 #12


ECE579S/4 #13


ECE579S/4 #14


ECE579S/4 #15


ECE579S/4 #16


ECE579S/4 #17


ECE579S/4 #18


ECE579S/4 #19

?


ECE579S/4 #20


ECE579S/4 #21


ECE579S/4 #22

You get the idea• There is a lot of information out there, and it is

readily available to anyone• Good intelligence usually consists of open

source material properly collated• Law enforcement used to have special access to

this sort of information--now it’s out on the ‘net• Network access speeds up the rate at which

good intelligence can be collected


ECE579S/4 #23

Determine Your Scope

• Check out the target’s web page– physical locations– related companies or entities– merger/acquisition news– phone numbers, contact information– privacy or security policies– links to other related web servers– check the HTML source code


ECE579S/4 #24

Refine Your Search

• Run down leads from the news, etc.– Search engines are a good way– Check USENET postings– Use advanced search capabilities to find links

back to target• Search on “worcester polytechnic security” gives ~

32,400 hits


ECE579S/4 #25

Use the Government

• EDGAR– SEC site (www.sec.gov/edgarhp.htm)– Search for 10-Q and 10-K reports– Try to find subsidiary organizations with

different names• Think about what your organization has on

databases available to the public


ECE579S/4 #26

Zero In On The Networks

• InterNIC – http://www.internic.net/– Organization– Domain– Network– Point of contact

• www.networksolutions.com• www.arin.net

http://www.internic.net/




ECE579S/4 #27

Query on Found Data

• POC– May be (often is) POC for other domains– Query for email addresses –

• Search for @wpi.edu (harder to do than earlier)• Scan found items for addresses and try them out


ECE579S/4 #28

Query the DNS

• Insecure DNS configuration can reveal information that should be kept confidential

• Zone transfers are popular attack methodologies– nslookup often used– pipe output to a text file– review the text file at your leisure– select potential “good targets” based on data


ECE579S/4 #29

Map Network Connectivity

• traceroute– Unix and Win/NT– tracert in NT for file name legacy reasons– Shows hops from router to destination

• Graphical tools exist, too– VisualRoute– www.visualroute.com


ECE579S/4 #30


ECE579S/4 #31

Detailed Scanning

• Network ping sweeps– Who is active?– Automated capabilities with some tools

• ICMP queries– Reveal lots of information on systems

• System time• Network mask


ECE579S/4 #32

Port Scanning

• Identify running services• Identify OS• Identify specific applications of a service• Very popular• Very simple• Very dangerous


ECE579S/4 #33

Some Port Scan Types• Connect Scan--completes 3-way handshake• SYN--should receive SYN/ACK• FIN--should receive RST on closed ports• Xmas tree--sends FIN, URG, PSH; should receive RST

for closed ports• Null--turns off all flags; target should send back RST

for closed ports• UDP--port probably open if no “ICMP port

unreachable” message received


ECE579S/4 #34

Identify Running Services

• nmap• netcat• Udp_scan (and others from SATAN)• Using SYN scan is usually stealthy• Beware of DoS results


ECE579S/4 #35

OS Detection• Stack fingerprinting

– Vendors interpret RFCs differently• Example:

– RFC 793 states correct response to FIN probe is none– Win/NT responds with FIN/ACK

• Based on responses to specific probes, possible to make very educated guesses as to what OS running

– Nmap database so accurate, it is used in commerical products (e.g. eEye Retina scanner)

– Automated tools to make this easy!• Nmap (www.insecure.ord/nmap/)

http://www.insecure.ord/nmap


ECE579S/4 #36

Enumeration

• Try to identify valid user accounts on poorly protected resource shares, e.g. on Windows-based systems– net view

• lists domains on network• can also list shared resources

– nltest -- identifies primary & backup domain controllers– SNMP– open a telnet connection


ECE579S/4 #37

Automated, Graphical Tools

• Can trace network topology very accurately– ID machines by IP, OS, etc.– Makes attack much easier

• No shortage of possible tools– Frequent additions to list– One source:

http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html

http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html


ECE579S/4 #38

Many Other Scanners

• eEye Retina Scanner – http://www.eeye.com/html/resources/tours/retina/index.html

• Nessus– Unix-based system and network scanner

• NeWT– Windows port of Nessus with graphical front-

end– http://www.tenablesecurity.com/products/newt.shtml

• …and lots more. Google is your friend.

http://www.eeye.com/html/resources/tours/retina/index.html

http://www.tenablesecurity.com/products/newt.shtml


ECE579S/4 #39

Network Based Attacks

Oldies and Goodies--It Isn’t Magic


ECE579S/4 #40

Word of Warning

• Some of the attacks about to be described are as old as network attacks themselves– This doesn’t make studying them a waste of

time– There is nothing new under the sun -- old

attacks keep popping up in new clothes

“Those who do not study history are condemnedto repeat it.”

George Santayana


ECE579S/4 #41

Getting FingeredAimee Girard (agirard)Home: /usr3/agirardShell: /sh/tcshBuilding: Unknown Work phone: Unknown Home phone: UnknownDirectory: /usr3/agirardShell: /sh/tcshNo unread mail.Aimee Girard has never logged on.No plan.

Andrew George Marut (agmarut)Home: /usr2/agmarutShell: /sh/tcshBuilding: Unknown Work phone: Unknown Home phone: UnknownDirectory: /usr2/agmarutShell: /sh/tcshMail forwarded to: [email protected] George Marut (agmarut) is not presently logged in.Last seen on ece.wpi.edu at Tue Mar 27 03:06:03 2001


ECE579S/4 #42

Do You Know Who?

ece(ttyp9):~> whocrcalvo ttyp0 Mar 14 17:52rcl ttyp1 Mar 20 07:53renato ttyp2 Mar 20 08:38anshul ttyp4 Mar 20 09:18pavan ttyp5 Mar 19 04:08lavanya ttyp6 Mar 20 08:53clements ttyp7 Mar 20 09:45aelliott ttyp8 Mar 20 10:46rstanley ttyp9 Mar 20 12:18bram ttypa Mar 20 10:42gaubatz ttypb Mar 20 10:42


ECE579S/4 #43

TCP Review


ECE579S/4 #44


ECE579S/4 #45

TCP Actions

• Assumes IP addresses are valid and correct• If sequence number received sequence

number expected, packet is refused (discarded), system waits for correctly numbered packet


ECE579S/4 #46

Sequence Number Prediction• Determine server’s IP address

– Sniffing packets– Trying host numbers in order– Connect w/browser, observe address in status

• Try addresses in the server’s address space• Monitor packet sequence numbers• Predict and spoof the next sequence number

– Hacker now appears to be a legitimate user


ECE579S/4 #47

Purpose, Detection & Defense

• Once on net as an internal user, hacker can use net as a base for other attacks, or to access information on the net just spoofed

• Detection: look for sequential “Access denied” entries in the audit log

• Prevention: if available, enable real-time notification of large number of sequential access denial entries


ECE579S/4 #48

SYN Flood• Send a normal SYN packet to a server, as if

to open a TCP connection• When the server returns a SYN/ACK

packet, ignore it• Send another SYN packet to the server• Repeat as necessary • ...until server cannot handle any more


ECE579S/4 #49

FINish, But Don’t Start

• Attacker sends FIN packet to server, but has not previously established a TCP connection

• Server replies with RST packet• Attacker now knows that port on that server

is alive and functioning


ECE579S/4 #50

Passive Sniffing

• Hacker obtains access to network segment; observes and analyzes traffic– Unauthorized access to legitimate computer (packet

monitors standard Windows fixture)– Unauthorized added NIC on segment

• Purpose: gather intelligence, read traffic• Defense:

– Secure authentication schemes (Kerberos)– Data encryption


ECE579S/4 #51

Desynchronization Attacks

• Hacker forces both ends of TCP session into a desynchronized state

• Hacker then uses a third-party host (a computer connected to the physical segment under attack) to intercept original packets and create acceptable replacement packets that mimic the real ones that would have been exchanged

• NB: desynchronized disconnected


ECE579S/4 #52

ACK Storm• Primary flaw of desynchronization attack• Receipt of unacceptable packet generates ACK

packet to source with expected sequence number– First ACK packet from server contains server’s own

sequence number– Client refuses packet, because it did not initially send

the modified-request packet– Client now sends its own ACK packet, and ...


ECE579S/4 #53

The End of the Storm

• In theory, the ACK storm is an infinite loop• BUT…

– If ACK packet lost, no further ACK is sent, because the packet contains no data payload

– TCP communicates over a lossy network (i.e. packets will get lost)

– With non-zero packet loss, storm quickly ends– Self-regulating


ECE579S/4 #54

More ACK Info • All networks lose packets, so retransmission

occurs• When an active attack such as described

before occurs, even more retransmission occurs than in the normal course of events

• Extra packets due to the ACK storms• One data packet can generate 10-300 empty

ACK packets


ECE579S/4 #55

Detecting Attacks

• Detect desynchronized states– Use packet reader (i.e., a sniffer) to view

sequence numbers at both ends of a connection– Sequence numbers show if desynchronized

• Packet percentage counting– Collect statistics on normal network operations– Use statistics to detect packet storms resulting

from attacks


ECE579S/4 #56

Spoofing“You can fool all of the people some of the time. You can fool some of the people all of the time. But you can’t fool all of the people all of the time.”

Abraham Lincoln

Fooling most of the people most of the timeis usually good enough!


ECE579S/4 #57

IP Spoofing-1• Hacker changes masquerade host IP address to the

trusted client’s address• Hacker builds source route to server with direct path

packets should take to/from server and back to hacker’s host, with trusted client as last hop in route to server

• Hacker uses source route to send client request to server

• What’s wrong with this picture?


ECE579S/4 #58

IP Spoofing -2• Simpler approach: wait until client system

shuts down and impersonate the system– Example: Unix NFS uses IP only addresses to

authenticate clients– Hacker sets up PC with name and IP address of

legitimate client, then initiates connection to Unix host

– Typical “insider” attack, as needs knowledge of which computers are not active


ECE579S/4 #59

Spoofing E-mail• Open your email client• Change the “Name” field to something else• Change the “Email address” to something else• Delete the Incoming Mail Server address• Delete the value of Mail Server User Name• If you were really bad, you would find an outgoing mail

server that allowed anonymous login for outgoing mail, and put its name here

• The approach above is good enough to fool most people most of the time


ECE579S/4 #60

Automated Spoofing

• C2MYAZZ– Who knows to what this filename refers?– Hijacks session without disrupting connectivity– This clever utility exploits what was intended

as a feature for convenience and backwards compatibility

– So, since this is well-known, the tool must be hard to get or overtaken by events, yes?


ECE579S/4 #61


ECE579S/4 #62

Preventing Spoofing• Firewall packet filtering

– Audit incoming traffic. You should never find packets with source and destination addresses in the local domain coming in from outside. BUT…this takes lots of effort

– Don’t allow packets that appear to have originated locally to come in from outside

• Hard, especially when hacker is inside


ECE579S/4 #63

Buffer Overflow Examples• Sending oversize ICMP packets• Sending IIS 3.0 a 4048 byte URL request• Sending email with 256-character file name

attachments to Netscape/MS email clients• SMB logon to NT with incorrect data size• Sending Pine user an email with “from”

address > 256 characters


ECE579S/4 #64

What Do You Intend?• Take over a session

– Why?– What information do you want to get/put?

• Associate with a network more or less permanently

• Deny service to selected servers / networks / clients?

• Anything else?


ECE579S/4 #65

The Dreaded Cookie# Netscape HTTP Cookie File# http://www.netscape.com/newsref/std/cookie_spec.html# This is a generated file! Do not edit.

home.netscape.com FALSE / FALSE 942189161 NGUserIDcc98a714-14298-900987956-4

.doubleclick.net TRUE / FALSE 1920499140 id3aa44cd0

.netscape.com TRUE / FALSE 1293840000 UIDC24.128.181.249:0921530518:183152

www.netscape.com FALSE / FALSE 942189161 NGUserIDcfc84b26-10757-921530518-1

.imgis.com TRUE / FALSE 1078108157 JEB2A80C29F3DBB5C25F1880B5F93004CF94


ECE579S/4 #66

If You Don’t Like Cookies?

• Use a utility or your browser tools to remove them (IE and Netscape 6 and later)– Find them using the FIND function; they’re all

over the place (especially in Windows)– But they keep coming back!

• In Windows, accept those you want, set the C:/Windows/Cookies folder as Read Only

• In Unix, make cookies.txt zero-length R/O


ECE579S/4 #67

How to Keep Up?

• Common Vulnerabilities and Exposures – http://www.cve.mitre.org/

• CVE is– A dictionary, NOT a database– A community effort– Freely available

• In short, this is not a “how to hack” list


ECE579S/4 #68

What About Hacker Sites?

• Can provide an idea of the current state of affairs, and also toolkits

• BE CAREFUL!– What you download may come with little

“surprises”• If you download, quarantine and test

– These sites don’t just exist to serve hackers; some also exist to hack


ECE579S/4 #69

Firewalls

• Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet

• Despite common opinion, not a panacea or an “out-of-the-box” security solution


ECE579S/4 #70

Firewall is to Networkas

User privilege is to Operating system


ECE579S/4 #71

What Is a Firewall?• A router with attitude?• A device to implement an access control

policy?• A physical device?• A logical device?• The preferred solution for network

protection?


ECE579S/4 #72

Where Does This Term Come From?

Firewall means a fire separation of noncombustible construction that subdivides a building or separates adjoining buildings to resist the spread of fire that has a fire-resistance

rating as prescribed in the Building Code and that has structural stability to remain intact under fire conditions for the

required fire-rated time. (Italics added)

Source: The Ontario Fire Code, § 1.2.1.2


ECE579S/4 #73

Firewall DesignPrinciples

• Information systems undergo a steady evolution (from small LAN`s to Internet connectivity)

• Strong security features for all workstations and servers not established

• Segregating “inside” from “outside” can offer security advantages


ECE579S/4 #74

Firewall DesignPrinciples

• The firewall is inserted between the premises network and the Internet or another external network

• Aims:– Establish a controlled link– Protect the premises network from Internet-

based or “outside” attacks– Provide a single choke point (good or bad?)


ECE579S/4 #75

Firewall Characteristics

• Design goals:– All traffic from inside to outside must pass

through the firewall (physically blocking all access to the local network except via the firewall)

– Only authorized traffic (defined by the local security policy) will be allowed to pass


ECE579S/4 #76

Firewall Characteristics

• Design principles:– The firewall itself is immune to penetration

(use of trusted system with a secure operating system)

– Although this is a noble goal, it is virtually impossible to achieve!


ECE579S/4 #77

Firewall Characteristics - 1

• Service control– Determines the types of external services that

can be accessed, inbound or outbound• Direction control

– Determines the direction in which particular service requests are allowed to flow


ECE579S/4 #78

Firewall Characteristics - 2

• User control– Controls access to a service according to which

user is attempting to access it• Behavior control

– Controls how particular services can be used (e.g. filter e-mail)


ECE579S/4 #79

Types of Firewalls

• Three common types of Firewalls:– Packet-filtering routers– Application-level gateways– Circuit-level gateways


ECE579S/4 #80

Packet-filtering Firewall


ECE579S/4 #81

Packet-Filtering Firewall

• Applies a set of rules to each incoming IP packet and then forwards or discards the packet based on conformance to the rules

• Filters packets going in both directions• The packet filter is typically set up as a list of

rules based on matches to fields in the IP and/or TCP header

• Two default policies (discard or forward)


ECE579S/4 #82

Packet Filtering Firewall

• Advantages:– Simple– Transparent to users– High speed

• Disadvantages:– Difficult to set up packet filter rules– Lack of authentication


ECE579S/4 #83

Packet Filtering Firewall

• Possible attacks and appropriate countermeasures– IP address spoofing– Source routing attacks– Tiny fragment attacks


ECE579S/4 #84

Application-level Gateway


ECE579S/4 #85


• Also called proxy server• Acts as a relay of application-level traffic


ECE579S/4 #86


• Advantages:– Higher security than packet filters– Only need to scrutinize a few allowable applications– Easy to log and audit all incoming traffic

• Disadvantages:– Additional processing overhead on each connection

(gateway as splice point)– Speed


ECE579S/4 #87

Circuit-level Gateway


ECE579S/4 #88


• Stand-alone system, or• Specialized function performed by an

application-level gateway• Sets up two TCP connections• The gateway typically relays TCP segments

from one connection to the other without examining the contents


ECE579S/4 #89


• Security function consists of determining which connections will be allowed

• Typically used where the system administrator trusts the internal users

• An example is the SOCKS package


ECE579S/4 #90

Bastion Host

• Sometimes called a DMZ• A system identified by the firewall

administrator as a critical strong point in the network´s security

• The bastion host serves as a platform for an application-level or circuit-level gateway


ECE579S/4 #91

Firewall Configurations

• In addition to using simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible

• Three common configurations


ECE579S/4 #92


• Screened host firewall system (single-homed bastion host)


ECE579S/4 #93

Screened Host Firewall

• Firewall consists of two systems:– A packet-filtering router– A bastion host

• Configuration for the packet-filtering router:– Only packets from and to the bastion host are

allowed to pass through the router• The bastion host performs authentication and

proxy functions


ECE579S/4 #94

Screened Host Firewall • Greater security than single configurations :

– Implements both packet-level and application-level filtering (allowing for flexibility in defining security policy)

– An intruder must generally penetrate two separate systems (but if outside router compromised, what then?)

• Affords flexibility in providing direct Internet access (public information server, e.g. Web server)


ECE579S/4 #95


• Screened host firewall system (dual-homed bastion host)


ECE579S/4 #96

Dual-homed Bastion Host

• Even if the packet-filtering router is completely compromised– Traffic between the Internet and other hosts on

the private network has to flow through the bastion host

– Provides two layers of security


ECE579S/4 #97


• Screened-subnet firewall system


ECE579S/4 #98

Screened-Subnet Firewall

• Most secure configuration of the three• Two packet-filtering routers are used

– One between bastion host and external network– One between bastion host and internal network

• Creates an isolated sub-network


ECE579S/4 #99

Screened-Subnet Firewall • Advantages:

– Three levels of defense to thwart intruders– Outside router advertises only the existence of the

screened subnet to the Internet (internal network is invisible to the Internet)

– Inside router advertises only the existence of the screened subnet to the internal network (systems on the inside network cannot construct direct routes to the Internet)


ECE579S/4 #100

Summary - 1• Attacking a network is no different from robbing a

bank; you have to plan if you expect to be successful• There are three basic steps to planning, which is

called vulnerability assessment:– Acquire the target (case the joint)– Scan for vulnerabilities (find the entry points)– Identify poorly protected data (enumeration)

• This applies if you are inside or outside the protected perimeter!


ECE579S/4 #101

Summary - 2

• TCP/IP was not intended as a secure protocol; as a result, it has vulnerabilities that can be exploited

• There are many ways to get access to info• There are many types of attacks that can be

mounted over network connections in order to gain unauthorized access to resources

• Never forget, the best access is hands-on


ECE579S/4 #102

Summary - 3

• Useful to enforce security policy at the network edges– Don’t help against inside threats

• Popularly believed to provide “hardened” security as they come out of the box

• If not properly configured, can introduce more problems than they solve

• Come in both hardware and software flavors, but all have software inside


ECE579S/4 #103

Homework - 1

1. Research attack scenarios and tools that you find in literature or on the Internet. Describe two attack scenarios and the tools required (if any) that would enable you to break into the WPI network from outside. Don’t actually break in, or try to!!


ECE579S/4 #104

Homework - 2

2. Describe how a SMURF attack works (don’t just parrot the description you find). Describe how to stop it.

3. You are the network administrator. How would you defend against the threats of target acquisition and vulnerability scanning?

ECE579S: Computer and Network Security 4: Network Security Issues

Documents

Transcript of ECE579S: Computer and Network Security 4: Network Security Issues