Network Security 授課老師 : 鄭伯炤 (Bo Cheng) 中正大學通訊系 Tel: 05-272-0411 Ext...

Network Security

授課老師 : 鄭伯炤 (Bo Cheng)中正大學通訊系

Tel: 05-272-0411 Ext 33512Email: [email protected]

http://www.andrew.cmu.edu/course/95-753/lectures/MooreTalkCERT-combined.pdf

We Are in Dangerous Zone!

• Insider• Outsider

• Insider• Outsider

• Unstructured• Structured

• Unstructured• Structured

CERT: Computer Emergency Response Team

http://www.cert.org/

What Is Network Security?

• Confidentiality: The property that information is not made available or disclosed to any unauthorized system entity

• Integrity: The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.

• Availability: services must be accessible and available to users

Availability Integrity

Confidentiality Network Security

ftp://ftp.rfc-editor.org/in-notes/rfc2828.txt

Confidentiality Enabler

• AAA– Authentication: The process of verifying an identity claimed by

or for a system entity.– Authorization: A right or a permission that is granted to a system

entity to access a system resource.– Accounting: Ensures the actions of a system entity be traced

uniquely to that entity, which can be held responsible for its actions.

• Encryption – Cryptographic transformation of data (called "plaintext") into a

form (called "ciphertext") that conceals the data's original meaning to prevent it from being known or used.

Plaintext PlaintextCiphertext

DecryptEncrypt

Attack Motivations, Phases and Goals

• Revenge• Political activism• Financial gain

Data manipulation System access Elevated privileges Denial of Service

Collect Information• Public data source• Scanning and probing


Actual Attack Network Compromise DoS/DDoS Attack

• Bandwidth consumption• Host resource starvation



Analyze Information & Prepare Attacks• Service in use• Known OS/Application vulnerability• Known network protocol security weakness• Network topology


Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses Author: Ed Skoudis; Publisher: Prentice Hall; ISBN 0130332739

Tools, Tools, Tools

Reconnaissance•Nslookup •Whois•ARIN•Dig•Target Web Site•Others

Network Scanning•Telnet•Nmap•Hping2•Netcat•ICMP: Ping and Traceroute

Vulnerability Assessment •Nessus•SARA

Penetration Tool

http://www.sans.org/rr/papers/index.php?id=267

“Penetration Studies – A Technical Overview”

GSEC SANS GIAC Certification: Security Essentials Toolkit Author: Eric Cole et al. ISBN 0789727749

Hacker vs. Cracker• Cracker ( 怪客 ): Someone who tries to break the security of, a

nd gain access to, someone else's system without being invited to do so.– 怪客注重於入侵、破壞與偷取資料，在網路上恣意的攻擊別人。– 網路上流傳著不少 Crack 程式 ( 常被誤稱為“駭客軟體” ) ，

都是被怪客們惡意釋出，擾亂網路上的秩序。– 大眾媒體所指的駭客其實就是指這些擁有高度知識的怪客。

• Hacker ( 駭客 ): Someone with a strong interest in computers, who enjoys learning about them and experimenting with them.– 不會故意毀壞他人主機中的資料。– 駭客入侵電腦的目的，只為證實防護安全上的漏洞確實存在。

且在入侵之後，會寄出一封 E-mail 給該網站擁有最高權限的管理者，告知管理者該漏洞的所在。

http://www.trendmicro.com/tw/products/desktop/gatelock/use/hackers.htm

Dollar Amount of Losses in 2003

Source: CSI/FBI 2003 Computer Crime and Security Survey

The total annual losses reportedin the 2003 survey were $201,797,340.

Denial of Service (DoS)

• The prevention of authorized access to a system resource or the delaying of system operations and functions (by RFC2828).– IETF: The Internet Engineering Task Force– RFC: Request for Comments

• Modes of Attack – Consumption of Scarce Resources – Destruction of Alteration of Configuration Information – Physical Destruction or Alteration of Network Components

http://www.cert.org/tech_tips/denial_of_service.html

Building Security Perimeter

• The boundary of the domain in which a security policy or security architecture applies (by RFC2828)

• Components– Firewall– Virtual Private Network (VPN)– Intrusion Detection System (IDS)

• Defense in depth– Multiple layers of protection to prevent and mitigate

security accidents, an event that involves a security violation.

Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPN's), Routers, and Intrusion Detection Systems Author: Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent Frederick, et al.; ISBN 0735712328

Firewall

• An gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall).

• Access Control List (ACL): A mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resource.

Outside

Inside

ACLACL

http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf

Intrusion Detection System (IDS)

• A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real- time warning of, attempts to access system resources in an unauthorized manner. (RFC2828)

• Types of IDS:– Host-based: operate on information collected from

within an individual computer system.

– Network-based: listen on a network segment or switch and detect attacks by capturing and analyzing network packets.

http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf

Virtual Private Network (VPN)

• The VPN is a data network connection that makes use of the public communication infrastructure, but maintains privacy through the use of a tunneling protocol and security procedures.

http://www.computerassets.com/downloads/Why_VPN.doc

Internet

Branch Office

HQBusiness Partners

Net, Net and Net

• Intranet: VPN facilitates secure communications between a company's internal departments and its branch offices.

• Extranet: Extranet VPNs between a company and its strategic partners, customers and suppliers require an open, standards-based solution to ensure interoperability with the various solutions that the business partners might implement.

• Internet: A global and public network connecting millions of computers.

Financial Losses in 2002

Firewall AAA VPN Anti-virusIntrusion Detection

0

50

100

150

200

Theft of proprietary Info Sabotage of Network System Penetration by outsider Insider abuse of Net accessFinancial Fraud DoSVirus Laptop theft

$Million

Source 2002 CSI/FBI Survey

100% security is impossible; Security can only mitigate, but not eliminate

Authentication: "Are you who you say you are?" Authorization: "Can you do that?"Accounting: "What did you do?"

RADIUS: Remote Authentication Dial-In User Service

IPSec vs. SSL• IPSec (Internet Protocol Security)

– Tunnel between the two endpoints– Works on the Network Layer of the OSI Model- without an association to

any specific application.– When connected on an IPSec VPN the client computer is “virtually” a full

member of the corporate network- able to see and potentially access the entire network

– The majority of IPSec VPN solutions require third-party hardware and / or software

• SSL– A common protocol and most web browsers have SSL capabilities built in. – More precise access control – Only work for web-based applications and possible to web-enable

applications

Hacking Techniques

Attack Motivations, Phases and Goals

• Revenge• Political activism• Financial gain

Data manipulation System access Elevated privileges Deny of Service









Tools, Tools, Tools

Reconnaissance•Nslookup •Whois•ARIN•Dig•Target Web Site•Others

Network Scanning•Telnet•Nmap•Hping2•Netcat•ICMP: Ping and Traceroute

Vulnerability Assessment •Nessus•SARA

Penetration Tool

Collect Information

• Public data source

• Scanning and probing

Whois Database

• Contain data elements regarding Internet addresses, domain names, and individual contacts

• domain name uniquely

ARIN

• American Registry for Internet Numbers

• Gather information about who owns particular IP address ranges, given company or domain names

DNS

• A hierarchical database

Root DNS Servers (start point)

com DNS Servers net DNS Servers org DNS Servers

abc.com DNS Servers

The DNS hierarchy

DNS Resolve

LOCALDNS SERVER

ROOTDNS SERVER

comDNS SERVER

abc.comDNS SERVER

www.abc.com

10.11.12.13

www.abc.com

refe

rral t

o com

A recursive search to resolve a domain name

www.abc.com

referral to abc.com

www.abc.com10.11.12.13CLIENT

www.abc.com = 10.11.12.13www.abc.com = 10.11.12.13

Some DNS Record Type

Record Type Name Purpose Example Record Format

Address(A Record)

Maps a domain name to a specific IP address

www 1D IN A 10.1.1.1

Host Information(HINFO Record)

Identifies the host system type www 1D IN HINFO Solaris8

Mail Exchanger(MX record)

Identifies a mail system accepting mail for the giver domain

@ 1D IN MX 10 mail.abc.com

Name Server(NS Record)

Identifies the DNS servers associated with a giver domain

@ 1D IN NS nameserver.abc.com

Text (TXT Record) Associates an arbitrary text string with the domain name

System1 IN TXT “This is a cool system”

nslookup

Return from local DNS cacheReturn from remote DNS cache

Zone Transfer

IP 反查 domain name

INTERNALDNS

INTERNALNETWORKINTERNET

DMZ

INTERNALSYSTEM

A split DNS

EXTERNALDNS

DMZ• DMZ stands for De-Militarized Zone. The DMZ

setting allows the server that provides public resources (Ex. Web or FTP) to map public IP addresses for Internet users to use in a Broadband sharing router environment.

DMZ system,such as Web, Mail,

DNS and FTP

INTERNET

InternalNetwork

DMZ

Allowed

Forbidden

Collect Information

• Public data source

• Scanning and probing

Network Mapping

• Map out your network infrastructure– Mapping and scanning your Internet gateway,

including DMZ systems, such as Web, mail, FTP, and DNS

– Mapping and scanning your internal network

• Techniques– Finding live hosts– Tracing your network topology

Finding Live Hosts

• Two methods– ICMP ping

• Ping all possible addresses to determine which ones have active hosts

• Ping, using an ICMP Echo Request packet– Alive, sending an ICMP Echo Reply message

– Otherwise, nothing is listening at that address

– TCP/UDP packet• If block incoming ICMP

• send a TCP or UDP packet to a port, such as TCP port 80

Traceroute

Time exceeded

Using traceroute to discover the path from source to destination

TTL = 2

Time exceeded

TTL = 1

Cheops

Defenses against Network Mapping

• Filter– IN: Firewalls and packet-filtering capabilities of your

routers– OUT: Stop ICMP Time Exceeded messages leaving

your network• Blocking

– Block incoming ICMP messages at gateway– Ping Web server? Maybe– Ping DMZ database server? Probably not– Ping internal network hosts? Definitely not

Using port scanners

• Analyzing which ports are open– To know the purpose of each system– To learn potential entryways into system

• TCP/IP stack has 65,535 TCP/UDP ports

• “well-known” port numbers– TCP port 80– RFC 1700

• Nmap @ www.insecure.org/Nmap

Nmap

• What type of packets does the scanning system send– TCP Connect, TCP SYN, TCP FIN, …

Types of Nmap Scans

• Legitimate TCP connections established using a three-way handshake

ALICE BOB

The TCP three-way handshake

SYN with ISNA

ACK ISNA and SYN with ISNB

ACK ISNB

Connection

TCP Header

FIN

SYN

RST

PSH

ACK

URG

Reserved

Options + padding

Urgent pointerChecksum

WindowDataoffset

Acknowledgement number

Sequence number

Destination portSource port

Bit: 0 4 10 16 31

20 o

cte

ts

The Polite Scan: TCP Connect

• Completes the three-way handshake, and then gracefully tears down the connection using FIN packets

• If closed– No SYN-ACK returned– Receive either no response, a RESET packet, or an

ICMP Port Unreachable

• Easy to detect

A Little Stealthier: TCP SYN Scan

• TCP SYN scans– Sending a SYN to each target port– If open, a SYN-ACK response– Sends a RESET packet, aborting the connection

• Referred to as “half-open” scans• Two benefits

– The end system Not record the connection, however, routers or firewalls do

– Its speed

Other Scans: Violate the Protocol Spec.

• TCP FIN scan– A FIN packet to tear down the connection, but no

connections are set up!!

• Xmas Tree scan– Sends packets with the FIN, URG, and PUSH code

bits set

• Null scan– Sends packets with no code bits set

TCP ACK Scans

PacketFilter

Device

SYN-ACK

SYN

Allow outgoing trafficand the established

responsesSYN

Block incoming trafficif the SYN packet is set

EXTERNALNETWORK

INTERNALNETWORK

Allowing outgoing sessions (and responses), while blocking incoming session initiation

TCP ACK Scans (cont.)

PacketFilter

Device

RESET

ACK dest port 1024

Aha! I know port 1026 isopen through the firewall

EXTERNALNETWORK

INTERNALNETWORK

ACK dest port 1025ACK dest port 1026

Vulnerability Scanning Tools

• What’s vulnerability scanner

• Types of vulnerabilities– Common configuration errors– Default configuration weaknesses– Well-known system vulnerabilities

Vulnerability Scanning Tools (cont.)

UserConfiguration

Tool

ScanningEngine

KnowledgeBase of Current

Active Scan

ResultsRepository& Report

Generation

VulnerabilityDatabase

TARGETS

A generic vulnerability scanner

Nessus• Nessus Plug-ins categories:

– Finger abuses– Windows– Backdoors– Gain a shell remotely– CGI abuses– Remote file access– RPC– Firewalls– FTP– SMTP– ……

The Nessus Architecture• Client-server architecture

– Client: user configuration tool and a results repository/report generation tool

– Server: vulnerabilities database, a knowledge base of the current active scan, and a scanning engine

• Supports strong authentication, based on public key encryption• Supports strong encryption based on the twofish and ripemd al

gorithms• The advantage of the client-server architecture• The most common use: running on a single machine

Gaining Access Using Application and Operating System Attacks

Outlines

• Stack-Based Buffer Overflow Attacks

• Password Attacks

• Web Application Attacks

What is a Stack-Based Buffer Overflow?

The Make up of a Buffer Overflow

Application Layer IDS Evasion for Buffer Overflow

• K2 released ADMutate

• polymorphism– For NOPs

• Substitute a bunch of functionally equivalent statements for the NOPs

– For the machine language code• Applies the XOR to the code to combine it with a randomly g

enerated key

ADMutateA buffer overflowsexploit

A new exploit

Outlines




Password Attacks

• Guessing Default Passwords

• Password Guessing through Login Scription

• Password cracking

Let’s Crack Those Passwords!

• Stealing the encrypted passwords and trying to recover the clear-text password– Dictionary– Brute-force cracking– hybrid

•Create a password guess

Password cracking is really just a loop.

•Compare encrypted guess with encrypted value from the stolen password file

•Encrypt the guess

•If match, you’ve got the password! Else, loop back to the top.

Tools Cracking Passwords

• Cracking Windows NT/2000 Passwords Using L0phtCrack (LC4)– http://www.atstake.com/products/lc/

• Cracking UNIX-like and Windows-based Passwords Using John the Ripper– http://www.openwall.com/john/

Outlines




Account Harvesting

• Account harvesting’s concept– Different error message for an incorrect userID tha

n for an incorrect password

• Lock out user accounts?– Yes, DoS attack– No, password guessing across the network

Yellow-orange 230IAmRyan 241

Gaining Access Using Network Attacks

Sniffer

• A sniffer grab anything sent across the LAN

• What type of data can a sniffer capture?– Anything, but encrypted– An attacker must have an account

• Island hopping attack

Island hopping attack

LANLAN

Some of the most interesting sniffers

• Passive sniffing– Snort, a freeware sniffer and network-based IDS, av

ailable at www.snort.org– Sniffit, freeware running on a variety of UNIX flavo

rs, available at reptile.rug.ac.be/~coder/sniffit/sniffit.html

• Active sniffing– Dsniff, a free suite of tools built around a sniffer run

ning on variations of UNIX, available at www.monkey.org/~dugsong/dsniff

Sniffing through a Hub: Passive Sniffing

HUBBlah, blah, blah

Blah, blah, blah

Blah, blah, blah

Blah, blah, blah

BROADCAST ETHERNET

Active Sniffing: Sniffing through a Switch and Other Cool Goodies

• Switched Ethernet does not broadcast– Looks at the MAC address

• Active sniffing tool: Dsniff

SWITCHBlah, blah, blah

Blah, blah, blah

SWITCHED ETHERNET

Advanced sniffing attacks

• Foiling Switches with Spoofed ARP Messages

• Remapping DNS names to redirect network connections

• Sniffing SSL and SSH connections

Foiling Switches with Spoofed ARP Messages(1)

CLIENTMACHINE

Blah, blah, blahSWITCH

DEFAULTROUTER

THEOUTSIDEWORLD

Blah, blah, blah

Victim’s trafficisn’t sent to

attacker

A switched LAN prevents an attacker from passively sniffing traffic

DEFAULTROUTER

THEOUTSIDEWORLD

SWITCH

Foiling Switches with Spoofed ARP Messages(2)

SWITCH

Arpspoof redirects traffic, allowing the attacker to sniff a switched LAN

1 Configure IP Forwarding to send packets to the default router for the LAN and activatesthe Dsniff program

4 Sniff the traffic from the link.

5 Packets are forwarded from attacker’s machine to the actual default router for delivery to the outside world.

CLIENTMACHINE

SWITCH

2 Send fake ARP response to remap default router IP address to attacker’s MAC address.

3 Victim sends traffic destined for the outside world. Based on poisoned ARP table entry, traffic is really sent to the attacker’s MAC address.

Router’s IP

Router’s MACAttacker’s MAC

DEFAULTROUTER

Sniffing and Spoofing DNS

CLIENTMACHINE

SWITCH

THEOUTSIDEWORLD

1 Attacker activates dnsspoof program

Attacker sniffs DNS request from the line.

Attacker quickly sends fake DNS response with any IP address the attacker wants the victim to use: www.skoudisstuff.com = 10.1.1.56

Victim now surfs to attacker’s site instead of desired destination.

Attacker’s machine at 10.1.1.56

www.skoudisstuff.com ,the desired destination at 10.22.12.41

Victim tries to resolve a name using DNS

Sniffing an HTTPS connection using dsniff’s person-in-the-middle attack

LAN

DEFAULTROUTER

THEOUTSIDEWORLD

1 Attacker activates dnsspoof and webmitm programs

4 Webmitm proxies the https connection, establishing an https connection to the server and sending the attacker’s own certificate to the client

2 Dnsspoof sends fake DNSresponse with the IP addressof the machine runningwebmitm (10.1.2.3)

5 Victim now accessthe desired server,but all traffic is viewable by attacker using webmitm as a proxy

www.edsbank.com

IP address 10.22.12.41

www.skoudisstuff.comthe desired destination at 10.22.12.41

IP address = 10.1.2.3

3 Victim establishesSSL connection, not knowing attacker is proxying connection

IP Address Spoofing

• Changing or disguising the source IP address– Not want to have their actions traced back– Helps attackers undermine various applications

• IP Address Spoofing– Flavor 1: Simply Changing the IP Address– Flavor 2: Undermining UNIX r-Commands– Flavor 3: Spoofing with Source Routing

Simply Changing the IP Address

SYN (A, ISNA)

ACK (A, ISNA) SYN (B, ISNB)

RESET !!!

EVE

BOBALICE

Spoofing with Source Routing 1/2

• Let the attacker get responses

• Allows the source machine sending a packet to specify the path it will take on the network

• Two kinds of source routing– Loose source routing– Strict source routing

• Reference: RFC 791

IP Options

Class Number Length Description0

0

0

0

0

0

1

2

3

7

0

0

11

Var

Var

End of Options

No op

Security

Loose Source Routing

Record Route

0

0

2

8

9

4

4

Var

Var

Stream ID (obsolete)

Strict Source Routing

Internet Time-Stamp

Spoofing with Source Routing 2/2

EVE

BOB

ALICE

PACKET

Route:

1. Alice

2. Eve

3. Bob

Packet ContentsPACKET

Route:

1. Alice

2. Eve

3. Bob

Packet Contents

Spoofing attack usingsource routing.

IP Spoofing Defense

• Implement “anti-spoof” packet filters– Both incoming (ingress) and outgoing (egress)

• Not allow source-routed packets through network gateways

IP Spoofing Defense

FILTERINGDEVICE

NETWORK A NETWORK B

Packet withIP source addresson Network A

Dropped

Anti-spoof filters.

Session Hijacking 1/3

• A marriage of sniffing and spoofing

• Seeing packets, but also monitoring the TCP sequence numbers

• Sniffing, then injecting spoofed traffic

Alice telnet

“Hi, I’mAlice”

Alice BOB

EVE

NETWORK

A network-based session hijacking scenario.


• Session hijacking tools– Hunt, network-based– Dsniff’s sshmitm tool– Juggernaut, network-based– TTYWatcher, host-based– TTYSnoop, host-based


ACK ACK ACK ACK

Packets with increasingsequence numbers

Alice BOB

EVE

NETWORK

An ACK storm triggered by session hijacking.

Session Hijacking with Hunt 1/3• Hunt

– Network-based session-hijacking tool– Runs on Linux– Allows to view a bunch of sessions, and select a particula

r one to hijack– Inject a command or two into the session stream, resultin

g in an ACK storm– How to prevent an ACK storm?

• ARP spoofing– Sends unsolicited ARPs, known as “gratuitous packets”– Most system devour, overwriting the IP-to-MAC address map

ping in their ARP tables

Session Hijacking with Hunt 2/3

IP = a.b.c.dMAC = AA.AA.AA.AA.AA.AA

IP = w.x.y.zMAC = BB.BB.BB.BB.BB.BB

IP = AnythingMAC = CC.CC.CC.CC.CC.CC

“ARPw.x.y.z is at

DD.DD.DD.DD.DD.DD”“ARPa.b.c.d is atEE.EE.EE.EE.EE.EE”

Session Hijacking with Hunt 3/3

IP = a.b.c.dMAC = AA.AA.AA.AA.AA.AA

IP = w.x.y.zMAC = BB.BB.BB.BB.BB.BB

IP = AnythingMAC = CC.CC.CC.CC.CC.CC

“ARPi.j.k.l is at

II.II.II.II.II.II”

“ARPe.f.g.h is atJJ.JJ.JJ.JJ.JJ.JJ”

IP = e.f.g.hMAC = GG.GG.GG.GG.GG.GG

IP = i.j.k.lMAC = HH.HH.HH.HH.HH.HH

Netcat: A General Purpose Network Tool

• Swiss Army knife of network tools

• two modes– Client mode: nc

– Listen mode: nc –l

– Supports source routing

NETCATIN CLIENT

MODE

Input froma file

SYSTEM RUNNING NETCAT

Output sentacross the network to anyTCP or UDP porton any system.

NETCATIN LISTEN

MODE

Input froma file

SYSTEM RUNNING NETCAT

Input receivedfrom the network

on any TCP orUDP port.

Netcat for File Transfer

• Pushing– Destination machine receiving file

• $nc –l –p 1234 > [file]

– Source machine sending file• $nc [remote_machine] 1234 < [file]

NETCATIN CLIENT

MODE

Input froma file

NETCATIN LISTEM

MODE

Output toa file

SOURCE DESTINATION

Listenon port X

Send to TCPport X

Netcat for File Transfer

• Pulling– Source machine, offering file for transfer

• $nc –l –p 1234 < [file]

– Destination machine, pulling file • $nc [remote_machine] 1234 > [file]

NETCATIN LISTEN

MODE

Input froma file

NETCATIN CLIENT

MODE

Output toa file

SOURCE DESTINATIONListenon port X

Dumps fileacross network

Receives filefrom network

Connectto port X

Netcat for Port Scanning

• Supports only standard, “vanilla” port scans, which complete the TCP three-way handshake

• $ echo QUIT | nc –v –w 3 [target_machine] [startport] - [endport]

Netcat for Vulnerability Scanning

• Used as a limited vulnerability scanning tool• Write various scripts that implement vulnerability

checks• The UNIX version of Netcat ships with several shell

scripts, including– RPC– NFS– Weak trust relationships– Bad passwords

• Limited compared to Nessus

Relaying Traffic with Netcat

NCLISTENER

NCCLIENT

Sendoutput

to input

NCLISTENER

NCCLIENT

Sendoutput

to input

Relaying Traffic with Netcat

NETCAT LISTENER ONINTERNAL SYSTEM

INSIDE

DMZSYSTEM COMPROMIZED

BY ATTACKER

NETCATCLIENT

OUTSIDE

NCLISTENER

NCCLIENT

Sendoutput

to input

Listenon UDPport 53

Originateon TCPport 25

No traffic allowed from outside to inside.DNS traffic (UDP 53) allowed from outside to DMZ.SMTP traffic (TCP 25) allowed from DMZ to inside.

Introduction to DoS

Packet floods, (e.g., SYN Flood, Smurf, Distributed Denial of Service

Malformed packet attacks (e.g., Land, Teardrop, etc.)

Forking processes to fill the process tableFilling up the whole file system

Process killingSystem reconfiguringProcess crashing

STOPPING SERVICES EXHAUSTING RESOURCES

LOCALLY

REMOTELY

ATTACK ISLAUNCHED…

Denial-of-Service attack categories

Stopping Local Services

• Using a local account, stopping valuable processes that make up services– Shut down the inetd process

• Methods for stopping local services:– Process killing– System reconfiguration– Process crashing

• A nasty example: the logic bomb– Logic bomb extortion threats

Locally Exhausting Resources

• When resources are exhausted, the system grind to a halt, preventing legitimate access

• Methods for exhausting local resources– Filling up the process table– Filling up the file system– Sending outbound traffic that fills up the

communications link

Remotely Stopping Services

• Remote DoS attacks more prevalent• Exploit an error in the TCP/IP stackExploit Name Overview of How It Works Susceptible Platforms

Land Sends a spoofed packet, where the source IP address is the same as the destination IP address, and the source port is the same as the destination port, The target receives a packet that appears to be leaving the same port that it is arriving on, at the same time on the same machine. Older TCP/IP stacks get confused at this unexpected event and crash

A large number of platforms, including Windows systems, various UNIX types, routers, printers, etc.

Latierra A relative of Land, which sends multiple Land-type packets to multiple ports simultaneously

A large number of platforms, including Windows systems, various UNIX types, routers, printers, etc.

Remotely Stopping Services

Exploit Name Overview of How It Works Susceptible Platforms

Ping of Death Sends an oversized ping packet. Older TCP/IP stacks cannot properly handle a ping packet greater than 64 kilobytes, and crash when one arrives.

Numerous systems, including Windows, many UNIX variants, printers, etc.

Jolt2 Sends a stream of packet fragments, none of which have a fragment offset of zero. Therefore, none of the fragments looks like the first one in the series. As long as the stream of fragments is being sent, rebuilding these bogus fragments consumes all processor capacity on the target machine.

Windows 95, 98, NT, and 2000

Teardrop, Newtear, Bonk, Syndrop

Various tools that send overlapping IP packet fragments. The fragment offset values in the packet headers are set to incorrect values, so that the fragments do not align properly when reassembled. Some TCP/IP stacks crash when they receive such overlapping fragments.

Windows 95, 98, and NT and Linux machines.

Winnuke Sends garbage data to an open file sharing port (TCP port 139) on a Windows machine. When data arrives on the port that is not formatted in legitimate Server Message Block (SMB) protocol, the system crashes.

Windows 95 and NT.

Remotely Exhausting Resources

• Using a flood of packets– SYN floods– Smurf attacks– Distributed DoS attacks, DDoS

SYN Flood

• Three-way handshake

• The TCP/IP stack allocates a small piece of memory on its connection queue– To remember the initial sequence number

• Two ways– To fill the connection queue with half-open

connections– Just fill the entire communications link

SYN Flood

RESET!!!

SYN (ISNA)

Connection queuefreed up uponreceiving RESETpacket.

ALICEBOB

EVE

SYN(X1,ISNx)

SYN(X2,ISNx)

SYN(X3,ISNx)

SYN-ACKEVE BOB

SYN-ACK

SYN cookies (Linux Kernel)

SYN(A, ISNA)

SYN(B, ISNB) ACK(A, ISNA)

ACK(B, ISNB)

SY

N(X

, IS

N X)ALICE BOB

EVE

EVE sends spoofed packets from X

ISNB is a function of the source IP address,destination IP address, port numbers, anda secret seed. Bob doesn’t rememberISNB, or store any information about thehalf-open connection in the queue.

When the ACK (B, ISNB) arrives, Bobapplies the same function to the ACK packetto check if the value of ISNB is legitimate.If this is a valid ISNB, the connection isestablished.

Bob will never store informationin the connection queue for theseSYNs; Instead, Bob sendsSYN(B, ISNB) ACK(X, ISNx)

Smurf Attacks

• Also known as directed broadcast attacks

• Router converts the IP broadcast message to a MAC broadcast message using a MAC address of FF:FF:FF:FF:FF:FF– Every machine read the message and send a respon

e

Smurf Attacks

Broadcast pingspoofed from

w.x.y.z

SMURF AMPLIFIER

w.x.y.z

Responses!

UGH!

DDoS Architecture

• First, tack over a large number of victim machine, referred to as “zombies”

• Install the zombie software on the systems– The component of the DDoS tool

• The attacker uses a special client tool to interact with the zombies

A DDoS Attack:Tribe Flood Network 2000

ATTACKERWITH NETCAT

CLIENT

ZOMBIE

VICTIM

UGH!

CLIENT

ZOMBIE

ZOMBIE

ZOMBIE

ZOMBIE

TFN2K, a Powerful DDoS Tool

• Attack types including:– Targa– UDP Flood– SYN Flood– ICMP Flood– Smurf Attack– “Mix” Attack-UDP, SYN, and ICMP Floods

TFN2K, a Powerful DDoS Tool

• Features– Authentication using an encrypted password– All packets from the client to the zombies are sent using

an ICMP Echo Reply packet• ICMP Echo Replies allowed into many network

• No port number associated with ICMP

• Finding the attacker is very difficult

• The client machine included a encrypted file indicating the IP addresses of all of the zombies under its control

• Allows the attacker to run a single arbitrary command simultaneously on all zombies

Maintaining Access: Trojans, Backdoors, and Rootkits

Backdoors

• Allow an attacker to access a machine using an alternative entry method

• To bypass the front door• When Attackers Collide

– Attacker closes security holes, and installs backdoor

– Backdoor security controls even stronger than standard system security controls, possibly using SSH

Backdoors Melded into Trojan Horses

Type of Trojan Horse Backdoor

Characteristics Analogy Example Tools

Application-level Trojan Horse Backdoor

A separate application runs on the system, giving the attacker backdoor access.

An attacker adds poison to your soup. A foreign entity is added into the existing system by the attacker.

• Back Orifice 2000–(BO2K)

•Sub7

•Hack-a-tack

•QAZ

Traditional RootKits

Critical operating system components are replaced or modified by the attacker to create backdoors and hide on the system

An attacker replaces the potatoes in your soup with modified potatoes that are poisonous. The existing components of the system are modified by the attacker.

•Linux RootKit5 for Linux

•T0rnKit for Linux, Solaris

•Other, platform-specific RootKits for SunOS, AIX, SCO, Solaris, etc.

Backdoors Melded into Trojan Horses (cont.)

Type of Trojan Horse Backdoor

Characteristics Analogy Example Tools

Kernel-level RootKits

The operating system kernel itself is modified to foster backdoor access and allow the attacker to hide.

An attacker replaces your tongue with a modified, poison tongue so that you cannot detect their deviousness by looking at the soup. The very organs you eat with are modified to poison you.

• Knark for Linux

•Adore for Linux

•Plasmoid’s Solaris Kernel-Level RootKit

•Windows NT RootKit

Application-Level

• Add a separate application to a system• Mostly developed for Windows platforms• RootKits are more popular in the UNIX world• EX. Back Orifice 2000 (BO2K)

NETWORK(Internet, intranet, etc.)

Remote access and control

BackdoorClient

BackdoorServer

ATTACKER VICTIM


• Replace critical operating system executables

• Traditionally focused on UNIX systems

• NT/2000 RootKits replace Dynamic Link Libraries

Comparison

EVIL BACKDOOR

Good

Login

Good

PS

Good

ifconfig

KERNEL

Login

With

Backdoor

Trojan

PS

Trojan

ifconfig

KERNEL

SystemExecutables

Remainintact

SystemExecutablesAre altered toIncludeBackdoor andOther stealthcapabilities

Comparing Application-Level Trojan horse backdoors with traditional RootKits

What Do Traditional RootKits Do?

• RootKits depend on the attacker already having root access

• A RootKit is a suite of tools that allow the attacker to maintain root-level access by implementing a backdoor

/bin/login Replacement

• Authentication

• A RootKit replaces /bin/login with a modified version that includes a backdoor password


• Linux RootKit 5 (lrk5)– Targeting Linux systems

• t0rnkit– Targeting Linux and Solaris systems

Nastiest:Kernel-Level RootKits

• The kernel is the fundamental, underlying part of the OS

Trojan

Login

Trojan

PS

Trojan

ifconfig

KERNEL

Good

Login

Good

PS

Good

Ifconfig

Good

tripwire

KERNEL TROJAN KERNEL MODULE

What They can Do…• The Power of Execution Redirection

– Most Kernel-level RootKits include a capability to do execution redirection– Bait-and-switch– /bin/login -> /bin/backdoorlogin

• File Hiding– Kernel-level RootKits support file hiding– Implemented in the kernel

• Process Hiding– Hiding processes, such as a Netcat backdoor

• Network Hiding– netstat– Masking particular network port usage– Nmap

How to Implement Kernel-Level RootKits

• Loadable Kernel Modules

• Many kernel-level RootKits are implemented as LKMs

• insmod knark.o

Some Examples of Kernel-Level RootKits

• Knark, a Linux Kernel-Level RootKit– Remote execution– Promiscuous mode hiding– Taskhacking– Real-ttime process hiding

•Kill -31 process_id– Kernel-module hiding

• Knark package includes a separate module called modhide

Some Examples of Kernel-Level RootKits

• Adore, Another Linux Kernel-Level RootKit

• Plasmoid’s Solaris Loadable Kernel Module RootKit

• Windows NT Kernel-Level RootKit by RootKit.com– www.rootkit.com– A patch

Network Compromise & Denial of Service

Internet

Intranet

Extranet

74%

Authentication: Password Crackers

Poor Service Configuration: e.g., DNS, Mail, FTP and Web

Protocol Weakness: ARP, ICMP

Application hole

Backdoors

Physical Access

Remote Access12%

Internal System33%

Out-of-Bounds Attack:e.g., Ping of Death and IP fragment attack

Host Resource Starvation:e.g., SYN flood

DDoS: Client Handler Agent Victime.g., Trinoo and Tribe Flood Network

Bandwidth Consumption:e.g., SMURF and Fraggle

Hackers Beware Author: Eric Cole; ISBN 0735710090

• Unsolicited Commercial E-mail (UCE) — Junk e-mail

– usually annoying but harmless commercial advertising.

• But …– Spread a computer virus

– Dangerous when it is a fraud.

– Illegal when a chain letter involves the U.S. Postal Service

• IDC predicts that a growing glut of spam – daily volume of e-mail from 31 billion messages 2002 to 60 billi

on in 2006.

• 寄信者為了不被抓到都會使用假的 E-mail address 及利用其它單位的 mail server 作為 relay 來送信。

Mail spam

History of Spam• Nothing with Hormel product, SPAM (SPiced hAM).• Monty Python's sketch:

– A restaurant that serves SPAM with every meal. – A particular customer tries to order a meal without SPAM. – A side table of SPAM-loving Vikings

• When they hear the word SPAM they would joyously sing a song about their love for SPAM.

• The song quietly started of with the words, " SPAM, SPAM, SPAM, SPAM, SPAM..." The Vikings would sing the song, rising in volume and drowning out other conversations.

– During the 2.5 minute sketch, the word SPAM would be used more than 100 times.

– The analogy of unwanted messages drowning out normal Internet communications.

http://notebook.ifas.ufl.edu/spam/

React to Mail spam

台灣大學 [email protected]政治大學 [email protected]中央大學 [email protected]交通大學 [email protected]中興大學 [email protected]中正大學 [email protected]成功大學 [email protected]中山大學 [email protected]花蓮師院 [email protected]東華大學 [email protected]台東師院 [email protected]

各區網中心處理檢舉 Spam Mail 信箱

Source: http://140.111.1.22/tanet/spam.html

•當教育部收到國內外的抗議信件時會將信件轉給十二個區域網路中心的管理者或相關人員處理，並限制該主機連接學術網路骨幹。 •在得到 mail server 管理者處理並改善的回信後，再行解除限制， ( 依據台灣學術網路技術小組第五十三次會議記錄 ) 。

惡性程式（ Malicious Code ）• 『惡性程式』則泛指所有不懷好意的程式碼，包括電腦病毒 (Viruses) 、特洛伊木馬程式 (Trojan) 、電腦蠕蟲 (Worm) 。

*Analysis by Symantec Security Response using data from Symantec Security Response, IDC, & ICSA; 2002 estimated**Source: CERT

毒 ! 毒 ! 毒 !

發生年份病毒名稱歷史意義損失金額（以美金計算）

感染電腦數目（與產能損失）

Blast 電腦受攻擊數目：

疾風病毒 100 ( )超過萬截至目前為止

電腦受攻擊數目：

100超過萬

2002Klez求職信首個歷經一年的變種病毒，依然造成全球大感染。

90 億美金 600電腦受攻擊數目：萬

Code Red 100電腦受攻擊數目：萬

紅色警戒 11清除病毒花費：億

2001Nimda 娜妲首個利用多重途徑途徑癱瘓網路的駭客型病毒，包含：電子

IIS 郵件、伺服器、網上鄰居。6.35 億美金電腦受攻擊數目：超過800萬

2001首個駭客型病毒，因不斷搜尋IIS Server 而導致網路交通異常

26.2 億美金

統計中

2003SQL SlammerSQL警戒

SQL 首個攻擊伺服器的病毒 10 億美金

2003首個利用公佈不到一個月的微軟漏洞犯案的病毒

http://www.trendmicro.com/tw/about/news/pr/archive/2003/pr030827.htm

救命 , 我 . 中毒了

What Is Viruses ( 電腦病毒 )?• A hidden, self-replicating section of computer softwa

re, usually malicious logic, that propagates by infecting--i.e., inserting a copy of itself into and becoming part of--another program (RFC 2828).

• A virus cannot run by itself; it requires that its host program be run to make the virus active.

• When does it bomb? – 這就和病毒的寫作者如何設計程式有關，並不屬於電腦病毒的

特性。• “PETER-2”: 在每年 2 月 27 日會提 3 個問题，答錯則將 HD加密。

• “黑色星期五”在逢 13 日的星期五發作

Virus

What Is Trojan Horse ( 特洛伊木馬程 )?

BackdoorRootkit

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

特洛伊木馬程式就不像電腦病毒一樣會感染其他檔案

What Is Worm ( 電腦蠕蟲 )?

• A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.

• 但『本尊』會複制出很多『分身』，然後像蠕蟲般在電腦網路中爬行，從一台電腦爬到另外一台電腦

• 最常用的方法是透過區域網路（ LAN ）、網際網路（ Internet ）或是 E-mail 來散佈自己。著名的電腦蠕蟲『 VBS_LOVELETTER 』就是一個例子。

Viruses, Worm and Trojan Horse

電腦病毒特洛伊木馬程式電腦蠕蟲感染其他檔案 O X X

被動散播自己 O O X

主動散播自己 X X O

造成程式增加數目

一般隨電腦使用率提高，受染感檔案數目則增加

不增加

視網路連結狀況而定，連結範圍愈廣，散佈的數目多

破壞能力視寫作者而定視寫作者而定 X

對企業的影響性中低高

Source: http://www.trendmicro.com/tw/security/general/guide/overview/guide01.htm

Anti-Virus Management

• 不使用及安裝來路不明的軟體、磁碟片、光碟片與 Internet下載的檔案

• 務必安裝防毒軟體– 記得更新病毒碼才能夠防止新病毒入侵。– 定期掃描系統是否有中毒

• 注意病毒新知 – OS 系統本身與軟體應用程式安全漏洞– 查詢相關網站修補系統的安全漏洞

• 定期做好資料備份

Risk Management

VPN

Firewall

IDSRisk Management

Risk Assessment Risk Mitigation

Threat, Vulnerability and Asset

Risk Mitigation Action Points

Security Management

• ISO/IEC7799-1:2000 (Part 1)

– a standard code of practice and can be regarded as a

comprehensive catalogue of good security things to do. • BS7799-2:2002 (Part 2)

– a standard specification for an Information Security Management Systems (ISMS).

– Senior Management monitor and control their security, minimizing the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.

– Scope, ISMS Policy, Risk assessment, Risk management/Risk treatment, Select control objectives and controls, Statement of Applicability (SOA), Risk Treatment Plan

http://www.fisc.com.tw/news/MAZ/30/p4a.asp

http://www.gammassl.co.uk/bs7799/works.html

Guidelines on Firewalls

Building Internet Firewalls

Application Proxy

Physical

Data Link

Network

Transport

Session

Presentation

Application

Stateful Inspection

Packet Filter

Packet Filter Firewalls• Access control based upon several pieces of information

contained in a network packet:– The source address of the packet– The destination address of the packet– The type of traffic:

• the specific network protocol being used to communicate between the source and destination systems or devices (e.g., ICMP)

– Possibly some characteristics of the Layer 4 communications sessions, such as the source and destination ports of the sessions

• Interface of the router the packet came from and which interface of the router the packet is destined for– this is useful for routers with 3 or more network interfaces.

Boundary Routers

• The packet filter, referred to as a boundary router, can block certain attacks, possibly filter un-wanted protocols, perform simple access control, and then pass the traffic onto other fire-walls that examine higher layers of the OSI stack.

Packet Filter used as Boundary Router

Basic Weaknesses Associated with Packet Filters

• Do not examine upper-layer data– Cannot prevent attacks that employ application-specific vulnerabilities or

functions. • Limited information available to the firewall

– Logging functionality present in packet filter firewalls is limited. • Do not support advanced user authentication schemes.• Network protocol weakness

– Vulnerable to TCP/IP specification and protocol stack, such as network layer address spoofing.

• Small number of variables used in access control decisions– Susceptible to security breaches caused by improper configurations.

• But …– Consequently, packet filter firewalls are very suitable for high-speed

environments where logging and user authentication with network resources are not important.

Packet Filter Rulesets

• Actions: – Accept– Deny– Discard

• By default:– Any type of access from the inside to the outside is

allowed.– No access originating from the outside to the inside is

allowed except for SMTP and HTTP.• SMTP and HTTP servers are positioned “behind” the firewall.

Stateful Inspection Firewalls

• More secure – Tracks client ports individually rather than opening

all high-numbered ports for external access.

• Useful or applicable only within TCP/IP network infrastructures.

• Representing a superset of packet filter firewall functionality.

Application-Proxy Gateway Firewalls

• Combine lower layer access control with upper layer (Layer 7 . Application Layer) functionality.

• For Example: Web Proxy• In addition to the ruleset, include authentication of ea

ch individual network user:– User ID and Password Authentication,– Hardware or Software Token Authentication,– Source Address Authentication, and– Biometric Authentication.

Dedicated Proxy Servers • Are useful for web and email content scanning

– Java applet or application filtering – ActiveX control filtering – JavaScript filtering, – Blocking specific Multipurpose Internet Multimedia Exte

nsions (MIME) types . for example, .application/msword. for Microsoft Word documents

– Virus scanning and removal, – Macro virus scanning, filtering, and removal, – Application-specific commands, for example, blocking t

he HTTP .delete. command, and– User-specific controls, including blocking certain content

types for certain users.

Dedicated Proxy Servers Deployments

Network Address Translation

• Developed in response to two major issues:– Hiding the network-addressing schema present behind a

firewall environment.– The depletion of the IP address space has caused some

organizations to use NAT for mapping non-routable IP addresses to a smaller set of legal addresses, according to RFC 1918.

• 10.0.0.0 to 10.255.255.255 (Class A)• 172.16.0.0 to 172.31.255.255 (Class B)• 192.168.0.0 to 192.168.255.255 (Class C)

• Accomplished in three fashions:– Static Network Address Translation– Port Address Translation (PAT)

IANA-allocated, Non-Internet routable IP address

American Registry for Internet Numbers (ARIN)

IP address

Public Private

Address Class Network Address Range

A

B C

10.0.0.0 ~ 10.255.255.255 172.16.0.0 ~ 172.31.255.255

192.168.0.0 ~ 192.168.255.255

recommend non-routable IP for home networks

Static Network Address Translation

Each internal system on the private network has a corresponding external, routable IP address associated with it. Each internal system on the private network has a corresponding external, routable IP address associated with it.

Personal Firewalls/Personal Firewall Appliances

• Personal Firewall:– Installed on the system it is meant to protect; – Usually do not offer protection to other systems or resources

• Personal Firewall Appliance:– Usually run on specialized hardware and integrate some

other form of network infrastructure components• Cable Modem WAN Routing, • LAN Routing (dynamic routing support), • Network hub,• Network switch,• DHCP (Dynamic Host Configuration Protocol) server,• Network management (SNMP) agent, and• Application-proxy agents.

DMZ (DeMilitarized Zone)

• A DMZ is your frontline when protecting valuables from direct exposure to an untrusted environment. – "A network added between a protected network and an e

xternal network in order to provide an additional layer of security.“

• A DMZ is sometimes called a "Perimeter network" or a "Three-homed perimeter network."

• A DMZ is a glowing example of the Defense-in-Depth principle.

Defense-in-Depth

• The Defense-in-Depth principle states that no one thing, no two things, will ever provide total security.

• It states that the only way for a system to be reasonably secured is to consider every aspect of the systems existence and secure them all.

• A DMZ is a step towards defense in depth because it adds an extra layer of security beyond that of a single perimeter.

Design DMZ

• Start by asking yourself – what do I want to protect? Or

– what is most valuable to me?

– what is the entrance point into this system? Or

– what is my front door?

• If there are more than one entrance to your system such as an Internet connection and dial-up connections– have two different DMZ’s.

– Have different configurations for each of those access types.

DMZ Networks

A DMZ Firewall Environment Service Leg DMZ Configuration

Domain Name Service (DNS)

Split DNS example

Placement of Servers in Firewall Environments

Summary Example Firewall Environment

Firewall Ruleset: Blocking Traffics• Inbound traffic from a non-authenticated source system with a destination address o

f the firewall system itself.• Inbound traffic with a source address indicating that the packet originated on a net

work behind the firewall. • Inbound traffic containing ICMP (Internet Control Message Protocol) traffic.• Inbound or Outbound traffic from a system using a source address that falls within t

he address ranges set aside in RFC 1918 as being reserved for private networks. • Inbound traffic from a non-authenticated source system containing SNMP (Simple

Network Management Protocol) traffic.• Inbound traffic containing IP Source Routing information.• Inbound or Outbound network traffic containing a source or destination address of

127.0.0.1 (localhost). • Inbound or Outbound network traffic containing a source or destination address of

0.0.0.0. • Inbound or Outbound traffic containing directed broadcast addresses.

Inbound

Outbound

FW

Network Intrusion Detection Systems

• Compromise the confidentiality, integrity, availability, • Bypass the security mechanisms of a computer or network

IDS History

http://www.securityfocus.com/infocus/1514

Types of IDS (Information Source)

Network (NID)Capture and analyze all network packets

Host (HID)Operate on information (e.g., log or OS system call) collected from within an individual computer system.

Network-Node (NNID)Monitor packets to/from a specific node

Uses a module, coupled with the application, to extract the desired information and monitor transactions

Application-Integrated (AIID)

Application (AID)

Operate on application transactions loge.g., Entercept Web Server Edition

http://www.networkintrusion.co.uk/ids.htm

Complement IDS Tools

Source: http://www.icsalabs.com/html/communities/ids/buyers_guide/guide/index.shtml

Honey PotHoney Pot

A system/resource designed to be attractive to potential attackerPadded CellPadded Cell

When the IDS detects attackers, it seamlessly transfers then to a special padded cell host

Vulnerability Assessment


Determine whether a network or host is vulnerable to known attacks

File Integrity CheckersFile Integrity Checkers

Create a baseline and apply a message digest (cryptographic hash) to key files and then checking the files periodically

IDS Life Cycle

Testing

• Accuracy• Resource Usage• Stress


Installation• Information Collecting• Filtering and Correlation• Traffic Analysis

Tuning

Configuration

• Signature Updating• Writing Signature

Setting up the current generation of IDSs requires a substantial time investment to ensure they'll flag only suspicious traffic and leave everything else alone. www.nwfusion.com/techinsider/2002/0624security1.html

IDS Market Forecast (I)

Source: IDC, 2001

IDS Market Forecast (II)

Source: IDC, 2001

When Firewall Meets IDS

IDS

A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real- time warning of, attempts to access system resources in an unauthorized manner

• Validate firewall configuration • Detect attacks but firewalls allow them to pass through (such as attacks against web servers). • Seize insider hacking

An gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall).

Firewall

• Access Control• NAT• Prevent the attacks

NIDS Deployments

Mode:•Tap•SPAN (Mirror)•Port Clustering•In-Line

External firewall

Critical Subnets

Network Backbones

DMZ

Internet

2

•Identify DMZ related attacks•Spot outside attacks penetrate the network's perimeter•Avoid outside attacks to IDS itself•Highlight external firewall problems with the policy/performance•Pinpoint compromised server via outgoing traffic

1

•See all outside attacks to help forensic analysis

3

•Increase the possibility to recognize attacks.•Detect attacks from insider or authorized users within the security perimeter.

4•Observe attacks on critical systems and resources•Provide cost effective solutions

IDS Balancer

Internet

GigaBit SX Tap

Network

•Toplayer’s IDS Balancer •Radware FireProof

•Availability•Scalability •ROI•Cost-effective (reduce sensors while increasing intrusion coverage)

•Availability•Scalability •ROI•Cost-effective (reduce sensors while increasing intrusion coverage)

IDS BalancerFiber Tap

Detection Engine Analysis

Protocol AnomaliesProtocol Anomalies

Stateful SignaturesStateful SignaturesBackdoor DetectionBackdoor Detection

Traffic AnomaliesTraffic Anomalies

Simple Pattern MatchingSimple Pattern Matching

String Matching Weaknesses

Whisker Evasion Mode

•URL encoding

•/./ d

irectory insertion

•Premature URL ending

•Long URL

•Fake parameter

•TAB separation not NT/IIS

•Case sensitiv

ity

•Windows delimiter

• Session splicing slow

• NULL method

Polymorphic Mutation

Fragmentation•Overlap•Overwrite•Time out

Denial of Service

The Detection Results

False Positive

False Negative

True Positive

True Negative • Wire-speed performance• Mis-configuration• Poor detection engine• IDS Evasion

• Annoy • Crying wolf• Tuning• Prevention?

IDS Responses After Detection

Active Responses

Passive Responses

Change the Environment

Take Action Against the Intruder

Collect additional information

Alarms/ Notifications

SNMP Integration

Source: NIST

Reconfiguring routers/firewalls (e.g., via FW-1 OPSEC) to block packets based on IP address, network ports, protocols, or services

Injecting TCP reset packets

Retaliation: Information warfare

Support SNMP Manager (e.g., HP OV) and MIB (e.g., iss.mib trap)

Generate SNMP trap

Intrusion Detection Working Group•IDMEF - Message Exchange Format XML-based alert format among IDS components•IDXP - Exchange Protocol Communication protocol for exchanging IDMEF messages

Check Point - Open Platform for Secure Enterprise Connectivity (OPSEC)

TCP/UDP Port Name Short description

18181 /tcp FW1_cvpCheck Point OPSEC Content Vectoring Protocol - Protocol used for communication between FWM and AntiVirus Server

18182 /tcp FW1_ufpCheck Point OPSEC URL Filtering Protocol - Protocol used for communication between FWM and Server for Content Control (e.g. Web Content)

18183 /tcp FW1_samCheck Point OPSEC Suspicious Activity Monitor API - Protocol e.g. for Block Intruder between MM and FWM

18184 /tcp FW1_leaCheck Point OPSEC Log Export API - Protocol for exporting logs from MM

18185 /tcp FW1_omiCheck Point OPSEC Objects Management Interface - Protocol used by applications having access to the ruleset saved at MM

18187 /tcp FW1_elaCheck Point Event Logging API - Protocol used by applications delivering logs to MM

18207 /tcpFW1_pslo

gonCheck Point Policy Server Logon protocol - Protocol used for download of Desktop Security from PS to SCl

NFR and RealSecure support FW-1_sam and FW1_ela

NIDS Market Predictions: Head to Head

• IDS is dead, long live IPS

• Intrusion detection market jumped 29.2 per cent year on year (firewall/virtual private network security appliance market increased 7.5 per cent).• In contrast to statements that intrusion detection software is dead, the growth in intrusion detection appliances show that many organizations still see the value in monitoring their networks • Could reached $2 billion in 2005, up from $486 million in 2000.

•IDS market will grow 43 per cent to $149m by 2004•IDS revenue will hit $1.1bn by 2006,

http://www.vnunet.com/News/1143747

http://www.ipa.go.jp/security/fy11/report/contents/intrusion/ids-meeting/idsbg.pdf

571

70

634

327

491

688

230

0

200

400

600

800

1000

2002 2003 2004 2005

IPS Revenue IDS Revenue

• By end of 2003, 90% of IDS deployments will fail when false positives are not reduced by 50%.

• By year end 2004, advances in non-signature based intrusion detection technology will enable network-based intrusion prevention to replace 50% of established IDS deployments and capture 75% of new deployments.

Gateway IDS (GIDS) and Host Intrusion Prevention (HIP)

Company Website

Entercept Security Technologies www.entercept.com

Harris STAT Neutralizer www.statonline.com

Okena StormWatch and StormFront www.okena.com

Sana Security www.sanasecurity.com

Linux IDS www.lids.org

OneSecure NetscreenOkena Cisco Entercept and Intruvert Network Associates

OneSecure NetscreenOkena Cisco Entercept and Intruvert Network Associates

Inadvertently block legitimate traffic

Ineffective against denial-of-service attacks

Company Website

Captus Networks www.captusnetworks.com

Cisco Systems IDS www.cisco.com

ForeScout ActiveScout www.forescout.com

RealSecure Network Protection www.iss.net

Intruvert Networks www.intruvert.com

NetScreen Technologies IDP www.netscreen.com

Snort Hogwash http://hogwash.sourceforge.net

TippingPoint Technologies UnityOne

www.tippingpoint.com

http://www.cio.com/archive/061503/et_article.html

Network Security 授課老師 : 鄭伯炤 (Bo Cheng) 中正大學通訊系 Tel: 05-272-0411 Ext...

Documents

Transcript of Network Security 授課老師 : 鄭伯炤 (Bo Cheng) 中正大學通訊系 Tel: 05-272-0411 Ext...