CS682-Network Security: Module-1 Introduction to Network Security pdf

Introduction to TCP/IPR/L =Http Request and Reply TH/F = TCP Header and Footer IH/F = IP Header and Footer EH/F= Ethernet Header and Footer Cloud Network Host A HTTP Web Browser TCP IP 3

CS682-Network Security

Module-1 Introduction to Network Security

SYN

„ This is CS682, Network Security

„ There is a lab in RH219, get your accounts

„ Homework-0 is on-line: Part I, II due next week, Part III, IV due in two weeks

„ Homework submission:

demos of their work

„ Website: http://isis.poly.edu/courses/cs682/

Prerequisites for CS682

„ Website: http://isis.poly.edu/courses/cs392-f2002/

„ Textbook: “Computer Security: Art and Science,” Matt

Bishop, 0201440997

„ Textbook: “TCP/IP Illustrated, Vol 1,” Richard W Stevens

„ Programming Reference: “Unix Network Programming, Vol 1,” Richard W Stevens, 013490012X

„ CS623 – Operating Systems I

„ Textbook: “Operating System Concepts,” Silberschatz,

Galvin, & Gagne

Prerequisites for CS682

„ Cryptography & Computer Security:

„ Networking:

„ IP

„ Programming Environment:

Server Netw ork

Backbone

Student Network

Accountin g Sales

Information systems

Coustomer service

Human resources

Server_00

Switch

Internal Router/Firewall

External Router/Firewall

Server_01

Server_02

XYZ Enterprise Network Layout

IDS System

What is This Course about?

We will explore:

„ Various vulnerabilities in network protocols and services.

„ Mechanisms to protect networks.

„ Security tools.

„ Vulnerabilities and solutions

„ Security protocols built on top of TCP/IP

„ Security devices and tools to test and protect networks

„ Explore TCP/IP vulnerabilities in detail by exploiting them using CASL

„ Learn to analyze a TCP/IP network for vulnerabilities

„ Write small client/server applications and learn to do penetration testing on your code and algorithm

„ Learn to setup security devices such Firewall’s and IDS systems, and how to integrate them

„ “War Games” – A serious one if time permits

Introduction to TCP/IP

R/L =Http Request and Reply TH/F = TCP Header and Footer IH/F = IP Header and Footer EH/F= Ethernet Header and Footer

Cloud

Network

Host A

HTTP (Web Browser)

TCP

IP

3Com NIC Driver

Host B

HTTP (Web Server)

TCP

IP

1GB NIC Driver

HTTP Protocol

TCP Protocol

Network

EH IH TH R TF IF EF

EH IH TH L TF IF EF R

TH TF

R

R

TH TF

L

TH TF

L

TH TF L

EH IH TH R TF IF EF

R

TH TF

R

TH TF R

EH IH TH L TF IF EF

L

TH TF

L

TH TF L

(Logical Link)

Security Issues in Networking

Life is great here (An ideal life)

Interruption: An asset of the system is destroyed

or becomes unavailable or unusable This is an

attack on the availability Examples include

destruction of a piece of hardware, such as a hard disk, the cutting of a communication link, or the

disabling of the file management system.

Host A Normal Flow Host B

Host A Interuption Host B

Security Issues in Networking

Interception: An unauthorized party gains access to an asset This is an attack on confidentiality The unauthorized party could be a person, a program, or a computer Examples include wiretapping to capture data in a network And the illicit copying of files

or programs.

Interception

Host C

Modification: An unauthorized party not only gains access to but tampers with an asset This is an attack on the integrity Examples include changing values in a data file, altering a program so that it performs differently, and modifying the content of a message being transmitted in a network

Modificition

Host C

Security Issues in Networking

Fabrication: An unauthorized part inserts counterfeit objects into the system This

is an attack on the authenticity Examples include the insertion of spurious messages in a network or the addition of records to a file.

Attacks can be classified into two broad categories:

Passive Attacks can only

observe communications or

data

Fabricition

Host C

Passive Attack

Active Attack

Active Attacks can actively modify

communications or data, Often difficult

to perform, but very powerful Example: Mail forgery/modification, and TCP/IP spoofing/session hijacking

Security Issues in TCP/IP

„ Most of the attacks present today were unheard of during the design of TCP/IP

„ It was designed to protect DoD network infrastructures

„ The primary objective during the design, was to have robust communication protocol that would survive partial network damage

„ There was no threat from the insider, the notion of having a malicious node did not exist (Nodes were missile silos)

Network Programming in Unix

„ Network programming jargons:

„ Client-Server Model:

Response Request

Client-Side Programming

address, port number

to server

socket were a file

bzero(&server, sizeof(server));

SOCK_STREAM, 0)

server.sin_port=htons(80); inet_pton(AF_INET,

argv[1], &server.sin_addr)

4. connect(sockfd, &server, sizeof(server))

max_buffer)

Server-Side Programming

bzero(&server, sizeof(server));

SOCK_STREAM, 0);

server.sin_addr.s_addr=hto nl(INADDR_ANY);

server.sin_port=htons(80); bind(listenfd, &server, sizeof(server));

NULL, NULL);

buff_max);

On the Wire

connect()

SYN,ACK

listen() accept() SYN_RCVD ESTABLISHED

ACK

ESTABLISHED

read() write()

Reply, ACK ACK

read()

close()

ACK FIN ACK

LAST_ACK TIME_WAIT

CLOSED

Client Server

References and Reading Assignments

„ http://citeseer.nj.nec.com/cache/papers/cs/21491/http:zSzzSz www.cs.um.edu.mtzSz~kvelzSzCSA401zSzibm-tcpip.pdf/tcp-ip-tutorial-and.pdf

(Look for “tcp ip security” at http://www.researchindex.com)

„ From Books 24x7 (http://dibner.poly.edu/)

„ Search in Google for more practical examples

Taxonomy of Network Vulnerabilities

„ Improper Design of Protocol (e.g.: 802.11 Security)

„ Improper Implementation of Protocol (e.g.: Teardrop)

„ Improper Configuration of Protocol (e.g.: Smurf)

„ Passive Exploits (e.g.: Packet Sniffing)

„ Blind Exploits (e.g.: Spoofing)

„ Active Exploits (e.g.: Session Hijacking)

„ Application Level (e.g.: Cross Site Scripting)

„ Protocol Level (e.g.: Teardrop)

„ MAC (e.g.: Jamming)

Packet Sniffing

„ Sniffers are wire-tap devices (software+hardware) that can be

plugged into a computer network to eavesdrop on computers

in the network

„ Sniffing requires physical access to network medium

„ It is a passive activity, in that sniffing doesn’t introduce new

packets into network

„ Sniffing is useful in two ways:

1. Eavesdropping (e.g.: extracting passwords or IDS)

2. Traffic Analysis (e.g.: tracking ssh connections)

„ Packet Sniffers have two phases:

1. Packet Capture Phase

2. Protocol Analysis Phase

„ Two essential ingredients for successful sniffing:

1. Shared Media

2. Promiscuous Mode Operations

Anatomy of a sniffer

„ In normal mode, network interface card discards packets not destined to the current host

„ Promiscuous mode disables this function and allows all packets

to flow through the network stack

„ A sniffer would simply capture these packets for consumption

„ There is more to a sniffer than setting a network card to promiscuous mode

is destination?

no

yes

Application

Normal Network

Interface Operation

is destination?

Sniffer

Promiscuous Mode Network Interface Operation

Anatomy of a sniffer

„ Media: usually an Ethernet card but it could also be a wireless card or anything else.

„ Capture Driver: software driver to capture and filter network traffic E.g.: pcap and BPF

„ Buffer: packets must be temporarily buffered prior to storage or processing

Usually fill-buffered or round-robin.

„ Decode: packets must be decoded to a human readable form.

„ Logging: permanent storage

of packets for offline analysis.

Media

Decode Buffer Capture Driver

Logging/Editing

„ Popular sniffers:

„ Ethereal – excellent protocol analyzer

„ tcpdump – you’ll use this in homework

„ Carnivore – FBI uses this at ISPs

„ Aerosnort – 802.11 wireless sniffer

Uses of sniffers

„ Passwords

„ Credit card numbers

„ “Secret” email conversations

„ If the network content is encrypted then perform traffic analysis to extract partial information

„ Famous pizza delivery to Pentagon story

Sniffing out the sniffers…

impossible to detect a sniffer!

„ Local detection of promiscuous mode

„ Improper response to ping

„ Improper response to ARP queries

„ Improper response to DNS queries

„ Source routing to suspicious node

„ Employing a honeypot

„ Network latency monitoring

„ Time-domain reflectometers

„ SNMP monitoring

methods?

Detection of promiscuous mode

„ If you suspect a machine is running a sniffer

then use ifconfig to find out if the NIC is in

promiscuous mode.

„ Obviously, you will use an ifconfig binary

from a trusted machine or CD-ROM.

# ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:AA:AA:AA:AA:AA

inet addr:0.0.0.0 Bcast:0.0.0.55 Mask:255.255.255.0

UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

RX packets:595017 errors:0 dropped:0 overruns:0 frame:0

TX packets:113401 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100

Interrupt:10 Base address:0xb800

Improper Response to Pings

sniffers put the network

card to promiscuous

mode?

is destined to the

machine or not, is sent

thru the network stack.

to trick the sniffers to

give up their locations.

„ Send a ping (ICMP Echo Request)

to a suspected sniffer with the IP of the sniffer but with a MAC of another machine.

„ What happen in the network stack:

1 Card receives the packet

2 Since it is in promiscuous mode, ignores the MAC address, removes the Ethernet header and send the packet to IP.

3 IP checks the IP destination, since

it is the proper destination sends the packet to ICMP.

4 ICMP sends an Echo Reply!

5 Ooops!

„ We know we should not be receiving a reply for this packet since the MAC and IP are mismatch!

Improper Response to Pings

„ This method can be generalized to:

such as TCP connection establishment or telnet.

message in response, such as bad IP packets.

location?

addressed to the machine using a software filter.

Improper response to ARP queries

replies then it is running in promiscuous mode.

„ ARP requests are cached, since the machine that sends the request sends it own mapping in the request

1. Send a non-broadcast ARP

2. Send a broadcast ping

3. The machine that replies without an ARP could have only gotten the mapping from our previous ARP, so it should be

in promiscuous mode

Improper Response to DNS Queries

„ Some sniffers do reverse-DNS lookups on IP addresses they see.

„ To identify sniffers, do a ping sweep on

addresses that do not exist.

„ Watch the DNS server for reverse-DNS

queries for these addresses.

„ By doing a reverse-DNS lookup sniffers

violate the passive activity code, they begin to inject packets into network Probably not a good design decision.

Source routing to suspicious node

routing tables and simply forward the packets to next hop in the list.

1. Create a source routed ping to the suspicious node

2. Make the intermediary nodes non-routing

3. Send the packet on wire

4. If we get a response from suspicious node then the node is

on promiscuous mode Because our intermediary would have dropped the packet since it doesn’t route, so the suspicious node could only have gotten this packet by sniffing the wire

Other Methods

„ Employing a honeypot:

„ Let a automated script generate clear-text traffic and lure the hackers into sniffing the traffic The fact that the password is

sniffed can be used to identify the sniffer

„ Network latency monitoring:

„ Uses the fact that sniffers process unusually large number of

packets to detect the sniffer Load the network with dummy packets and ping sweep the machines The ones with sniffers will have large latency (Not a viable solution.)

„ Time-domain reflectometers:

„ TDRs work like RADAR It sends out a pulse and detects reflections off the wire This can also detect adressless passive hardware

sniffers on the wire

„ SNMP monitoring:

„ Lets you track connection details If a packet takes unusual path on the network, most probably a sniffer is trying to lure packets its way Known as ARP spoofing

How to avoid sniffers

(switched medium)

„ Switch jamming

„ ARP spoof

„ ICMP Redirect

„ ICMP Router Advertisements

„ Cable taps

„ SSH for telnet

„ SFTP for FTP

„ SSL Tunneled IMAP for IMAP

„ PGP for unencrypted email

„ VPN for clear-text traffic

Sniffers and Anti-Sniffers

Ethernet Detector)

„ CPM (Check Promiscuous Mode)

Route Discovery

„ Packets to and from a host have route

symmetry on the Internet.

„ Which means, with high probability packets from node A to node B travel the same path as packets from node B to node A.

„ And most often packets from the same source

to the same destination follow the same path.

„ Our goal is to find the intermediate nodes a packet travel to reach a remote node.

„ How shall we implement this?

Using IP Record Route Option (RR)

„ We can use IP record route option with ICMP Echo Request

(ping –R).

„ This allows intermediate routers to put their IP addresses in the header and when the packet reaches the destination it copies the route into Echo Reply and send it back to the

source

„ This is not a good implementation Why?

1. Requires all routers to support RR

2. Requires a ping server at the destination Most ping servers reflect the Echo Request so the return path is also recorded

3. There is no room for long paths IP header has room for only 9 addresses but routes in current Internet are longer, average is about 14 hops

„ So we need an implementation that doesn’t depend on any special servers and works by default on any router

Using IP TTL Field

discards the datagram and sends a ICMP Time

Exceeded message to the source.

the source address.

this information:

i=1

while(i<=255){

send_UDP(TTL=i, dest, port=65521);

if(receive_ICMP(dest) == “Port Unreachable”) break;

++i;

};

Using IP TTL Field

1. We send a UDP packet to a large port number (65521), wrapped in a IP datagram with TTL=1…255

2. When the TTL reaches 1 or 0 routers return ICMP Time Exceeded Then, we increment TTL by one and send the packet again

3. When the packet reaches the destination, it sends out a ICMP Port Unreachable message, because it is highly unlikely that any application is listening on the port we randomly chose

4. Algorithm terminates either when it gets Port Unreachable

or TTL=255

behaviors of routers and a standard UDP

implementation at the destination.

Uses of Route Discovery

„ Maps out the network topology (Look at the map of Internet in our lab)

„ To get an idea of the network neighborhood

„ Network fault analysis

„ Route Discovery Tools:

Summary of Today’s Lecture

„ Extremely quick review of networking

„ Somewhat quick review of network programming

„ Sniffing

„ Route discovery

„ CASL

„ Fingerprinting

„ Spoofing