Security Implementation : Products and...

Security Implementation :Products and Services

Contents

1. Security Vulnerablility2. Security Products3. Security Services

Security Vulnerability


Definition weakness in a product that could allow an attacker to

compromise the integrity, availability, or confidentiality of that product

Classification by asset Hardware : 온습도, 먼지, 진동 등

Software : Memory leak, Race condition

Networks : Protocol, Traffic

Environment : 전원, 자연재해

Personnel : Password, Management, Audit


Network/Software/Personnel Password Protocol Traffic Application Service Worm


Password ID – email Dictionary attack Brute Force Attack (무차별 대입 공격) : 성공할 때까지 가능한

모든 조합의 경우의 수를 시도해 원하는 공격을 시도하는 것

Alphabet(26) + number(10) = 36 4자리 : 38 ^ 4 = 1,679,6168자리 : 38 ^ 8 = 2,821,109,907,456

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

14 6 6 8 20 6 8 10 14 4 4 8 8 12 14 6 4 12 12 14 10 4 8 2 4 2


Protocol SYN Flooding TCP sequence number guessing ICMP Flooding : ping –f –s 10000 DHCP

Traffic DoS, DDos

Application Exploit Shellcode : buffer overflow Messenger : MS messenger phishing Spyware : PC내 정보수집, 바이러스 감염 경고/결재 유도


Service HTTP, FTP, SMTP, POP3,TELNET, SSH DNS, SNMP, SQL, Oracle Netbios, RPC, Remote Desktop, etc, ….

Worm Slammer worm : 2003.1.25

MSSQL 취약점 이용, PC rebooting10분만에 약 75,000 대 감염

Security Products

Firewall

• Filtered by L2(MAC), IP Header, TCP Header, Protocols

Firewall

Firewall

TCP Header Format

LINUX Netfilter Kernel > 2.4 Main Features

– stateless packet filtering (IPv4 and IPv6)– stateful packet filtering (IPv4 and IPv6)– NAT/NAPT (IPv4 and IPv6)– flexible and extensible infrastructure– multiple layers of API's for 3rd party extensions

Firewall - Implementation

Prerouting Forward Postrouting

Input

Routing

Routing

Local Process

ConntrackMangleNAT(dnat)

filter

FilterConntrack

ConntrackMangleNAT(dnat)filter

Output

NAT(snat)NAT(Masq)conntrack

Firewall - Implementation

Netfilter Architecture

VPN(IPSEC)

Source KISA

VPN(IPSEC)

Overview of IPSEC standards

Internet

IPsec Tunnel or TransportData

Host Host

Internet

IPsec TunnelData

Host HostSecureGateway Secure

Gateway

Transport mode Tunnel mode상위계층 데이터에 보안서비스 제공 전체 IP 패킷에 보안서비스 제공

host에 적용 host와 secure gateway에 적용

VPN(IPSEC)

Operation Modes

VPN(IPSEC)

• Next Header(8 bits)

– Specify the Next Header Type

• Payload Length(8 bits)

– Length of AH in 4-byte Unit

– Null Authentication used for debugging• IPv4 = 1, IPv6 = 2

• RESERVED(16 bits)

– Set ot All “Zero”

• SPI(32 bits)

– Identify the Security Association

– 1~255 : Reserved by IANA

• Sequence Number(32 bits)

– Monotonically Increasing Counter Value

– For the Anti-Replay Service

• Authentication Data(Variable Size)

– ICV of the Packet

Next Header Payload Length RESERVEDSecurity Parameter Index(SPI)Sequence Number Field

Authentication Data(variable)

0 7 8 15 16 31 Authentication Header Format

AH Location - Transport Mode

VPN(IPSEC)

Original IP Header(Any options)

TCP Data


TCP DataAH

IPv4

Before Applying AH

Authenticated except for mutable fields


TCP Data


TCP DataAH

Extension Headersif present

ExtHdr(Hop-by-hop,dest,routing, frag.)

Dest.Options

IPv6

Before Applying AH

Authenticated except for mutable fields

AH Location - Tunnel Mode

VPN(IPSEC)


TCP Data


TCP DataAH

IPv4

Before Applying AH

New IP Header(Any options)

Authenticated except for mutable fields in the New IP Header


TCP Data


TCP DataAH


Ext Hdrsif present

IPv6

Before Applying AH

Ext Hdrsif present


Authenticated except for mutable fields in the New IP Header

VPN(IPSEC)

• SPI(32 bits)

– Identify the Security Association

– 1~255 : Reserved by IANA

• Sequence Number(32 bits)

– Monotonically Increasing Counter Value

– For the Anti-Replay Service

• Padding(for Encryption)

– For the Block Cipher

• Payload Data(variable size)

– Upper Layer Data

– IV(Initial Vector) Included

• Pad Length(8 bits)

• Next Header(8 bits)

– Specify the Next Header Type

• Authentication Data(Variable Size)

– ICV of the Packet

Sequence Number FieldPayload Data(variable)

0 15 16 31Security Parameter Index(SPI)

Pad LengthAuthentication Data(variable)

Next Header

Padding(0~255 bytes)

AuthenticationCoverage

ConfidentialityCoverage

ESP Header Format

ESP Header Location - Transport Mode

VPN(IPSEC)


TCP Data


ESP Hdr.

IPv4

Before Applying ESP

TCP Data ESPTrailer

ESPAuth.



ESP Hdr.


ExtHdr(Hop-by-hop,dest,routing, frag.)

Dest.Options

IPv6

Before Applying ESPTCP Data

TCP Data ESPTrailer

ESPAuth.

EncryptedAuthenticated


ESP Header Location - Tunnel Mode

VPN(IPSEC)


TCP Data


ESP Hdr.

IPv4

Before Applying ESP

TCP Data ESPTrailer

ESPAuth.




ESP Hdr.


Ext Hdrsif present

Orig ExtHeaders

IPv6

Before Applying ESPTCP Data

TCP Data ESPTrailer

ESPAuth.




Introduction to IKE(1/2)

IKE is a mature, complex protocol for securely setting up keyed sessions, in particular IP-Sec Security Associations (SA)

IKE evolved over several years from multiple proposals.IKEv2 is now `draft standard`

IKE runs over UDP (port 500; detect NAT: 4500)One IKE message per UDP datagram

Uses (only) exchanges (request/response)- Initiator makes request, Responder responses- Initiator (only) retransmits/aborts for reliability- Not necessarily client/server! But usually Initiator is client.

VPN(IPSEC)

VPN(IPSEC)

Introduction to IKE(2/2)

Two phases

1st phase: setup ISAKMP SA (Internet Security Association and Key Management Protocol)

- Algorithms, keys, etc. – to be used by IKE (not AH/ESP!)- Perfect forward secrecy (PFS): exposure of all keys does not

expose past traffic [using Diffie- Helman]

2nd phase: Generate IP-Sec SA- Protected using the ISAKMP SA- Many 2nd phases may share ISAKMP SA (1st phase)E.g. one 1st phase for gateways, then many 2nd phase for eachpair of hosts using these gateways

- More efficient than 1st phase; PFS optional

VPN - Implementation

1. Kernel IPSEC SupportLinux Kernel > 2.5.47

2. Package InstallUser-land tool : set-keyIKE tool : racoon(ipsec-tools)

VPN - Implementation

• Turn on/Verify the following features in Kernel 2.6.x

Networking support (NET) [Y/n/?] y** Networking options* PF_KEY sockets (NET_KEY) [Y/n/m/?] y

IP: AH transformation (INET_AH) [Y/n/m/?] yIP: ESP transformation (INET_ESP) [Y/n/m/?] yIP: IPsec user configuration interface (XFRM_USER) [Y/n/m/?] y

Cryptographic API (CRYPTO) [Y/n/?] yHMAC support (CRYPTO_HMAC) [Y/n/?] yNull algorithms (CRYPTO_NULL) [Y/n/m/?] yMD5 digest algorithm (CRYPTO_MD5) [Y/n/m/?] ySHA1 digest algorithm (CRYPTO_SHA1) [Y/n/m/?] yDES and Triple DES EDE cipher algorithms (CRYPTO_DES) [Y/n/m/?] yAES cipher algorithms (CRYPTO_AES) [Y/n/m/?] y

• SSL (Secure Socket Layer)– 배경 : 1993년 웹 서버와 브라우저간의 안전한 통신을 위해 Netscape 社에 의해 개발

– 특징 : 세션계층에서 적용되며, 응용계층의 FTP, TELNET, HTTP등의 프로토콜의 안전성 보장

– 서버 인증, 클라이언트 인증, 기밀성 보장– 현황 및 전망 : 현재 많은 전자 쇼핑 몰 업체에서 채택, 운영

• TLS (Transport Layer Security)– 배경 : SSL 3.0 이 표준화된 이후 IETF는 1996년 6월부터 TLS 프로토콜

에 대한 표준화 (SSLv3.1)– Backward compatible with SSLv3– 특징 : SSL 3.0을 기반으로 한 업그레이드 프로토콜– 현황 및 전망 : 현재 TLS 1.2 발표, 지속적 개발 예상

SSL / TLS

SSL / TLS

SSL / TLS 의 기능

• 서버 인증 기능– 사용자는 서버의 신원을 확인– 서버의 certificate 와 public ID가 정당 확인– 클라이언트의 신뢰 된 인증 기관들의 목록에 서버의 인증 기관이 포

함되었는지를 확인 (표준 공개키 암호화 기술을 사용)

• 클라이언트 인증– 서버는 클라이언트의 신원을 확인– 클라이언트의 certificate 와 public ID가 정당 확인– 서버의 신뢰 된 인증기관 들의 목록에 클라이언트의 인증 기관이 포

함되었는지를 확인 (표준 공개키 암호화 기술을 사용)

• 암호화된 SSL 연결– 클라이언트와 서버 사이에 송/수신 되는 모든 정보는 암호화/복호화

+ 무결성 보장

SSL / TLS

SSL Architecture

• Handshake 프로토콜– 서버와 클라이언트간의 상호인증을 수행하고, 사용할 키 교환 방식,

대칭키 암호 방식, HMAC 방식, 압축방식 등의 보안속성을 협상

• Change Cipher Spec 프로토콜– Handshake 프로토콜에 의해 협상된 압축, MAC, 암호화 방식 등이

이후부터 적용됨을 상대방에게 알림

• Alert 프로토콜– 세션의 종료 또는 오류 발생시 이를 상대방에게 알림

• Record 프로토콜– 상위계층 메시지들이 보안성이 유지되며 전송될 수 있도록 하기 위

하여, 메시지 분할, 압축, 메시지 인증, 암호화 등의 작업을 수행

SSL / TLS

SSL / TLS

SSL Record protocol

SSL Record protocol

▣ Confidentiality◈using symmetric encryption with a shared secret key defined by

Handshake Protocol◈ IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128◈message is compressed before encryption

▣ Message integrity◈using a MAC with shared secret key◈similar to HMAC but with different padding

SSL / TLS

SSL / TLS

• Fragmentation– 2^14bytes(16384bytes) or less

• Compression– Optional, lossless– No compression in SSLv3, TLS

• MAC

• Encryption– IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128

hash ( MAC_write_secret pad_2hash( =MAC_write_secret pad_1 seq_num SSLCompressed.type

SSLCompressed.length SSLCompressed.fragment) )

SSL HandShake

1 ClientHello

7 Certificate

8 ClientKeyExchange

9 CertificateVerify

10 ChangeCipherSpec

11 Finished

6ServerHelloDone

13Finished

2ServerHello

3Certificate

4ServerKeyExchange

5CertificateRequest

ChangeCipherSpec 12

클

라

이

언

트

서

버

Note: Optional or situation-dependent messages that are not always sent

Openssl www.openssl.org Build

download latest openssl package (v1.0.1c – 2012.5.10)

compile package./configmakemake testmake install

RootCA 생성

SSL/TLS - Implementation

IDS(Intrusion Detection System) IPS(Intrusion Prevention System) L2 ~ L7 pattern matching

IDS/IPS

IPS

Pattern Matching Regular Expression

| : gray | grey? : colou?r matches both "color" and "colour“* : ab*c matches "ac", "abc", "abbc", "abbbc", …..+ : ab+c matches "abc", "abbc", "abbbc", ….,

but not "ac".

DFA(Deterministic Finite Automaton) NFA(Nondeterministic Finite Automaton) PCRE(Perl Compatible Regular Expression) HFA(Hyper Finite Automaton)

IDS/IPS

Snortwww.snort.orglatest version : 2.9.3.1 (2012.8)

IDS/IPS - Implementaion

Output Plug-ins

Output to log file, console etc

Detection Engine

Detection Plug-insReferences

Preprocessors

Decoder

Packet Capture Module

Packets from wire

Output Notification

Host

SnortRunning

OnSystem

Rule Storage

SnortXL Output Agent SnortXL Input Agent

Rules etc.

Packet Out Module

Packets back on the wire

(for IPS only)

IDS/IPS - Implementaion

Architecture

Security Services

Security Services

Security Consulting Service 모의 해킹, 보안 점검, Consulting

Security Monitoring/Management Remote Security, Network Monotoring/Management

Patch Management Windows patch Virus patch Software patch

Training

Security Implementation : Products and...

Documents

Transcript of Security Implementation : Products and...