Security of Communication

Networks
Slim REKHIS
SUPCom

INDP3
IST, IRES, RSM
Semestre I, 2011/2012

Course outline
Content
Security Fundamentals
Virtual Private Networks
Firewalls
Access control and multi-level security
Intrusion detection

Chapter1
Security Fundamentals

INDP3
IST, IRES, RSM
Semestre I, 2011/2012

Slim REKHIS
SUPCom

Motivations
Information systems have been penetrated by
unauthorized users and rogue programs
Increased volume of security breaches (Computer
Emergency Response Team , CERT, reports a
tremendous increase of security incidents).
Security attacks are of increasing severity and
sophistication.
Distributed Denial of Service (DDOS) attacks.

Examples of security attacks

Worm attacks (e.g., code red).
Capture of network traffic (e.g., userIDs, passwords)
Exploitation of software bugs.
Unauthorized access to resources (modification,
and destruction of resources).
Compromised system used as attack facility.
Identity spoofing as authorized user or end system.
Insider malice (deliberate insertion of malicious or
infected code, information disclosure )
5

Attacks sophistication versus Intruder knowledge

Percentage of keytype of incidents

By percent of responders

Percentage of keytype of incidents

By percent of responders

Factors contributing to intrusions

Lack of awareness of threats and risks.
Importance to security measures is not grated until an
Enterprise has been penetrated by malicious users.
Wide-open network policies (many Internet sites allow
wide-open Internet access).
Vast majority of network traffic is unencrypted.
Lack of security in TCP/IP protocol suite
Complexity of security management and administration.
Existence of software bugs.
Attackers skills keep improving.
10

Catagories of attacks
Interruption: A system asset is destroyed or becomes unavailable
Attack on availability
E.g., destroying file system, flooding a communication link with packets.

Interception: An unauthorized party gains access to an asset.

Attack on confidentiality
E.g., Unauthorized copying of data or programs, sniffing network traffic.

Modification: An unauthorized party gains access and alters an asset.

Attack on integrity
e.g., modifying the expected functionality of a program, changing the contents
of a message.

Fabrication: Unauthorized party inserts a fake object to the system.

Attack on authenticity
E.g., insertion of records in a log file, insertion of a fake datagram in a network
11

Attacks on security protocols

12

Active vs. passive attacks

Passive attacks
Release of message content: a message may be carrying sensitive data.
Traffic analysis: an intruder makes inference (even if messages are
encrypted) by observing message patterns: host location and identity can be
revealed
Footprinting: creating a complete profile of an organizations security
capabilities

Active attacks
Masquerade: an entity pretends to be some other entity.
Replay: an entity captures a data unit and retransmit it to produce an
unauthorized effect.
Message modification : en entity modifies a portion of a legitimate message
to produce an undesirable effect.
Denial of service: Inhibits normal use of computer and communications
resources.
13

Caracterizing digital attacks

Digital attacks have additional properties

with regard to traditional ones
Coordination
Tracing difficulty
Rapid propagation
Self-propagation
Remote execution
Weakness of the legal frameworks

Attack features
Coordination: Multiple attackers can cooperate
through resource sharing, task allocation, and
synchronization.
Generated alerts are characterized by an amount
of uncertainty.
Should be taken into consideration when making
decisions based on generated alerts

Versioning: Statistics show that attack schemes

seldom vary.
Attackers often introduce several slight modifications
on the attack tool in order to adapt to the existing
vulnerabilities or to bypass the protection mechanisms.15

Some definitions
Security attack: any action that compromises the
security of information owned by an organization
or an individual.
Security mechanism: a mechanism that
implements functions designed to prevent,
detect, or respond to a security attack.
Security service: A service that enhances the
security of data processing systems and
information transfers.
A security service uses one or more security
mechanisms to counter a security attack.

16

Some definitions
Alert: A message sent by attack detection tools
(e.g., IDS) when they observe an attack.
Threat: possible attack on the system.
Vulnerability: a weakness that may be exploited
to cause loss or harm
Risk: a measure of the possibility of security
breaches and severity of the obtained damages.
Requires assessment of threats and
vulnerabilities
17

Classifying vulnerabilities

Application-level vulnerabilities
Operating systems
Web applications (e.g., servers, servlets)
Database applications
Network protocol implementations

Protocol vulnerabilities
Human-related vulnerabilities
Misconfiguration of equipments (i.e firewall, router,
switch)
Weak password protection
Confidentiality violations

DDoS attacks in 2G Cellular Networks

Weaknesses of DDoS attacks in 2G cellular networks are mainly
linked to authentication vulnerabilities in the used protocols.
One of the most known DoS attacks is the false BTS attack that first
appeared with GSM networks.
The malicious BTS sends stronger signals to users in the current cell
Users will be detached from the network

19

DDoS attacks in 2.5G networks

2.5G cellular networks and beyond are offering data
services, several vulnerabilities were inherited from the
Internet.
Protocols used for data-services such as TCP and ICMP are
vulnerable to DDoS attacks.
Openness of the network to Internet.

TCP SYN Flood attack represents one of the famous

DDoS attacks in 2.5G networks
An intruder takes control of a sufficient number of mobiles by
means of viruses
He instructs them to establish a set of successive half open TCP
connections to a server in order to exhaust its memory and fill up
20
connections queue.

DDoS attacks in 3G networks

DDoS attacks are more significant
Use of a huge number of PUSH services, which are initiated from Internet.
Use of packet switching technology and vulnerability to IP-based attacks.

Radio channels consumption

An attacker breaks into weakly secure UE and uses them as zombies.
Later he instructs them to generate incomplete calls at the same time
With a significant number of attackers in each cell, the network can be broken
down for a long period of time.

Telephonic servers abuse

An attackers makes a large number of cell phones simultaneously calling a
voice server.
The target will be unreachable during the attack.
21

Example of Web application vulnerability

IIS/PWS Extended Unicode Directory Traversal vulnerability
Normally, IIS checks URL strings to ensure that certain constructs
do not occur.
e.g., a requester attempts to access some parent of the /scripts directory
http://www.example.com/scripts/..\../winnt/system32/cmd.exe?/c+dir

IIS catches this and returns an HTTP 404 - File not found response.

When the exact same request is made in the following form by

encoding some characters in unicode
http://www.example.com/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir

The response is:

Directory of c:\inetpub\scripts
10/01/2001 03:46p
<DIR> .
10/01/2001
03:46p
<DIR> ..
0 File(s) 0 bytes 2 Dir(s) 2,527,547,392 bytes free
22

Example of operating system vulnerability

ICMP ping of death

Some Windows OSs allow non-standard ICMP messages

to be generated
Maximum ICMP packet size is 65507 bytes.
Any echo packet exceeding this size will be fragmented
by the sender and the receiver will try to reconstitute
the packet.
The hacker sends an illegal echo packet with more bytes
than allowed, causing the data to be fragmented.
When the receiver tries to reconstitute the packet, it
causes a buffer overflows, kernel dumps, and crashes
23

Example of protocol vulnerability

IPSpoofing
IP packet carries no authentication of
source address
IP spoofing is possible
IP spoofing can help malicious users to
bypass IP-based authentication mechanisms
IP spoofing occurs on other packet-switched
networks also, such as Novells IPX
24

Security services (X.800)

Privacy/confidentiality/Secrecy :
Requires that the information in a computer system and transmitted information
are accessible only for reading by authorized parties.

Integrity/authenticity:
Requires that only authorized parties are able to modify computer system assets
and transmitted information ( information should be protected from tampering.).

Authentication:
Requires that the origin of a message or electronic document is correctly identified.
Any party can verify that the other party is who he or she claims to be

Non repudiation:
requires that neither the sender nor the receiver of message be able to
deny the transmission.

Access Control :
Requires that access to information resources may be controlled by or for
the target system.

25

Security requirements for transmitting information

Authorization
Requires that an entity be specifically and explicitly authorized by the
proper authority to access the contents of an information asset

Availability
Requires that a service/resource be accessible and usable upon demand by
an authorized entity.

Accountability
Requires that every activity undertaken by an entity be attributed or
traceable uniquely to that entity.

Identification
Requires that an information system possesses the characteristic of
identification when they are able to recognize individual users
26

Authentication VS. Authorization

Authentication:
to prove a person is really who he/she claims to be.

Authorization:
verify that whether a legal person has the privilege to perform
a task or a right to access certain resources after the person
has been authenticated.

Example:
A process P created by a user U contacts a server to delete
a file F. The server needs to handle the two issues:
Is this actually the process of U ? (authentication)
Is U allowed to delete the file ? (authorization)
27