Security Implementation : Products and...

42
Security Implementation : Products and Services

Transcript of Security Implementation : Products and...

Page 1: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Security Implementation :Products and Services

Page 2: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Contents

1. Security Vulnerablility2. Security Products3. Security Services

Page 3: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Security Vulnerability

Page 4: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Security Vulnerability

Definition weakness in a product that could allow an attacker to

compromise the integrity, availability, or confidentiality of that product

Classification by asset Hardware : 온습도, 먼지, 진동 등

Software : Memory leak, Race condition

Networks : Protocol, Traffic

Environment : 전원, 자연재해

Personnel : Password, Management, Audit

Page 5: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Security Vulnerability

Network/Software/Personnel Password Protocol Traffic Application Service Worm

Page 6: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Security Vulnerability

Password ID – email Dictionary attack Brute Force Attack (무차별 대입 공격) : 성공할 때까지 가능한

모든 조합의 경우의 수를 시도해 원하는 공격을 시도하는 것

Alphabet(26) + number(10) = 36 4자리 : 38 ^ 4 = 1,679,6168자리 : 38 ^ 8 = 2,821,109,907,456

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

14 6 6 8 20 6 8 10 14 4 4 8 8 12 14 6 4 12 12 14 10 4 8 2 4 2

Page 7: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Security Vulnerability

Protocol SYN Flooding TCP sequence number guessing ICMP Flooding : ping –f –s 10000 DHCP

Traffic DoS, DDos

Application Exploit Shellcode : buffer overflow Messenger : MS messenger phishing Spyware : PC내 정보수집, 바이러스 감염 경고/결재 유도

Page 8: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Security Vulnerability

Service HTTP, FTP, SMTP, POP3,TELNET, SSH DNS, SNMP, SQL, Oracle Netbios, RPC, Remote Desktop, etc, ….

Worm Slammer worm : 2003.1.25

MSSQL 취약점 이용, PC rebooting10분만에 약 75,000 대 감염

Page 9: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Security Products

Page 10: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Firewall

• Filtered by L2(MAC), IP Header, TCP Header, Protocols

Page 11: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Firewall

Page 12: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Firewall

TCP Header Format

Page 13: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

LINUX Netfilter Kernel > 2.4 Main Features

– stateless packet filtering (IPv4 and IPv6)– stateful packet filtering (IPv4 and IPv6)– NAT/NAPT (IPv4 and IPv6)– flexible and extensible infrastructure– multiple layers of API's for 3rd party extensions

Firewall - Implementation

Page 14: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Prerouting Forward Postrouting

Input

Routing

Routing

Local Process

ConntrackMangleNAT(dnat)

filter

FilterConntrack

ConntrackMangleNAT(dnat)filter

Output

NAT(snat)NAT(Masq)conntrack

Firewall - Implementation

Netfilter Architecture

Page 15: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

VPN(IPSEC)

Source KISA

Page 16: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

VPN(IPSEC)

Overview of IPSEC standards

Page 17: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Internet

IPsec Tunnel or TransportData

Host Host

Internet

IPsec TunnelData

Host HostSecureGateway Secure

Gateway

Transport mode Tunnel mode상위계층 데이터에 보안서비스 제공 전체 IP 패킷에 보안서비스 제공

host에 적용 host와 secure gateway에 적용

VPN(IPSEC)

Operation Modes

Page 18: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

VPN(IPSEC)

• Next Header(8 bits)

– Specify the Next Header Type

• Payload Length(8 bits)

– Length of AH in 4-byte Unit

– Null Authentication used for debugging• IPv4 = 1, IPv6 = 2

• RESERVED(16 bits)

– Set ot All “Zero”

• SPI(32 bits)

– Identify the Security Association

– 1~255 : Reserved by IANA

• Sequence Number(32 bits)

– Monotonically Increasing Counter Value

– For the Anti-Replay Service

• Authentication Data(Variable Size)

– ICV of the Packet

Next Header Payload Length RESERVEDSecurity Parameter Index(SPI)Sequence Number Field

Authentication Data(variable)

0 7 8 15 16 31 Authentication Header Format

Page 19: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

AH Location - Transport Mode

VPN(IPSEC)

Original IP Header(Any options)

TCP Data

Original IP Header(Any options)

TCP DataAH

IPv4

Before Applying AH

Authenticated except for mutable fields

Original IP Header(Any options)

TCP Data

Original IP Header(Any options)

TCP DataAH

Extension Headersif present

ExtHdr(Hop-by-hop,dest,routing, frag.)

Dest.Options

IPv6

Before Applying AH

Authenticated except for mutable fields

Page 20: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

AH Location - Tunnel Mode

VPN(IPSEC)

Original IP Header(Any options)

TCP Data

Original IP Header(Any options)

TCP DataAH

IPv4

Before Applying AH

New IP Header(Any options)

Authenticated except for mutable fields in the New IP Header

Original IP Header(Any options)

TCP Data

Original IP Header(Any options)

TCP DataAH

Extension Headersif present

Ext Hdrsif present

IPv6

Before Applying AH

Ext Hdrsif present

New IP Header(Any options)

Authenticated except for mutable fields in the New IP Header

Page 21: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

VPN(IPSEC)

• SPI(32 bits)

– Identify the Security Association

– 1~255 : Reserved by IANA

• Sequence Number(32 bits)

– Monotonically Increasing Counter Value

– For the Anti-Replay Service

• Padding(for Encryption)

– For the Block Cipher

• Payload Data(variable size)

– Upper Layer Data

– IV(Initial Vector) Included

• Pad Length(8 bits)

• Next Header(8 bits)

– Specify the Next Header Type

• Authentication Data(Variable Size)

– ICV of the Packet

Sequence Number FieldPayload Data(variable)

0 15 16 31Security Parameter Index(SPI)

Pad LengthAuthentication Data(variable)

Next Header

Padding(0~255 bytes)

AuthenticationCoverage

ConfidentialityCoverage

ESP Header Format

Page 22: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

ESP Header Location - Transport Mode

VPN(IPSEC)

Original IP Header(Any options)

TCP Data

Original IP Header(Any options)

ESP Hdr.

IPv4

Before Applying ESP

TCP Data ESPTrailer

ESPAuth.

Original IP Header(Any options)

Original IP Header(Any options)

ESP Hdr.

Extension Headersif present

ExtHdr(Hop-by-hop,dest,routing, frag.)

Dest.Options

IPv6

Before Applying ESPTCP Data

TCP Data ESPTrailer

ESPAuth.

EncryptedAuthenticated

EncryptedAuthenticated

Page 23: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

ESP Header Location - Tunnel Mode

VPN(IPSEC)

Original IP Header(Any options)

TCP Data

New IP Header(Any options)

ESP Hdr.

IPv4

Before Applying ESP

TCP Data ESPTrailer

ESPAuth.

Original IP Header(Any options)

Original IP Header(Any options)

New IP Header(Any options)

ESP Hdr.

Extension Headersif present

Ext Hdrsif present

Orig ExtHeaders

IPv6

Before Applying ESPTCP Data

TCP Data ESPTrailer

ESPAuth.

Original IP Header(Any options)

EncryptedAuthenticated

EncryptedAuthenticated

Page 24: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Introduction to IKE(1/2)

IKE is a mature, complex protocol for securely setting up keyed sessions, in particular IP-Sec Security Associations (SA)

IKE evolved over several years from multiple proposals.IKEv2 is now `draft standard`

IKE runs over UDP (port 500; detect NAT: 4500)One IKE message per UDP datagram

Uses (only) exchanges (request/response)- Initiator makes request, Responder responses- Initiator (only) retransmits/aborts for reliability- Not necessarily client/server! But usually Initiator is client.

VPN(IPSEC)

Page 25: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

VPN(IPSEC)

Introduction to IKE(2/2)

Two phases

1st phase: setup ISAKMP SA (Internet Security Association and Key Management Protocol)

- Algorithms, keys, etc. – to be used by IKE (not AH/ESP!)- Perfect forward secrecy (PFS): exposure of all keys does not

expose past traffic [using Diffie- Helman]

2nd phase: Generate IP-Sec SA- Protected using the ISAKMP SA- Many 2nd phases may share ISAKMP SA (1st phase)E.g. one 1st phase for gateways, then many 2nd phase for eachpair of hosts using these gateways

- More efficient than 1st phase; PFS optional

Page 26: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

VPN - Implementation

1. Kernel IPSEC SupportLinux Kernel > 2.5.47

2. Package InstallUser-land tool : set-keyIKE tool : racoon(ipsec-tools)

Page 27: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

VPN - Implementation

• Turn on/Verify the following features in Kernel 2.6.x

Networking support (NET) [Y/n/?] y** Networking options* PF_KEY sockets (NET_KEY) [Y/n/m/?] y

IP: AH transformation (INET_AH) [Y/n/m/?] yIP: ESP transformation (INET_ESP) [Y/n/m/?] yIP: IPsec user configuration interface (XFRM_USER) [Y/n/m/?] y

Cryptographic API (CRYPTO) [Y/n/?] yHMAC support (CRYPTO_HMAC) [Y/n/?] yNull algorithms (CRYPTO_NULL) [Y/n/m/?] yMD5 digest algorithm (CRYPTO_MD5) [Y/n/m/?] ySHA1 digest algorithm (CRYPTO_SHA1) [Y/n/m/?] yDES and Triple DES EDE cipher algorithms (CRYPTO_DES) [Y/n/m/?] yAES cipher algorithms (CRYPTO_AES) [Y/n/m/?] y

Page 28: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

• SSL (Secure Socket Layer)– 배경 : 1993년 웹 서버와 브라우저간의 안전한 통신을 위해 Netscape 社에 의해 개발

– 특징 : 세션계층에서 적용되며, 응용계층의 FTP, TELNET, HTTP등의 프로토콜의 안전성 보장

– 서버 인증, 클라이언트 인증, 기밀성 보장– 현황 및 전망 : 현재 많은 전자 쇼핑 몰 업체에서 채택, 운영

• TLS (Transport Layer Security)– 배경 : SSL 3.0 이 표준화된 이후 IETF는 1996년 6월부터 TLS 프로토콜

에 대한 표준화 (SSLv3.1)– Backward compatible with SSLv3– 특징 : SSL 3.0을 기반으로 한 업그레이드 프로토콜– 현황 및 전망 : 현재 TLS 1.2 발표, 지속적 개발 예상

SSL / TLS

Page 29: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

SSL / TLS

SSL / TLS 의 기능

• 서버 인증 기능– 사용자는 서버의 신원을 확인– 서버의 certificate 와 public ID가 정당 확인– 클라이언트의 신뢰 된 인증 기관들의 목록에 서버의 인증 기관이 포

함되었는지를 확인 (표준 공개키 암호화 기술을 사용)

• 클라이언트 인증– 서버는 클라이언트의 신원을 확인– 클라이언트의 certificate 와 public ID가 정당 확인– 서버의 신뢰 된 인증기관 들의 목록에 클라이언트의 인증 기관이 포

함되었는지를 확인 (표준 공개키 암호화 기술을 사용)

• 암호화된 SSL 연결– 클라이언트와 서버 사이에 송/수신 되는 모든 정보는 암호화/복호화

+ 무결성 보장

Page 30: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

SSL / TLS

SSL Architecture

Page 31: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

• Handshake 프로토콜– 서버와 클라이언트간의 상호인증을 수행하고, 사용할 키 교환 방식,

대칭키 암호 방식, HMAC 방식, 압축방식 등의 보안속성을 협상

• Change Cipher Spec 프로토콜– Handshake 프로토콜에 의해 협상된 압축, MAC, 암호화 방식 등이

이후부터 적용됨을 상대방에게 알림

• Alert 프로토콜– 세션의 종료 또는 오류 발생시 이를 상대방에게 알림

• Record 프로토콜– 상위계층 메시지들이 보안성이 유지되며 전송될 수 있도록 하기 위

하여, 메시지 분할, 압축, 메시지 인증, 암호화 등의 작업을 수행

SSL / TLS

Page 32: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

SSL / TLS

SSL Record protocol

Page 33: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

SSL Record protocol

▣ Confidentiality◈using symmetric encryption with a shared secret key defined by

Handshake Protocol◈ IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128◈message is compressed before encryption

▣ Message integrity◈using a MAC with shared secret key◈similar to HMAC but with different padding

SSL / TLS

Page 34: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

SSL / TLS

• Fragmentation– 2^14bytes(16384bytes) or less

• Compression– Optional, lossless– No compression in SSLv3, TLS

• MAC

• Encryption– IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128

hash ( MAC_write_secret pad_2hash( =MAC_write_secret pad_1 seq_num SSLCompressed.type

SSLCompressed.length SSLCompressed.fragment) )

Page 35: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

SSL HandShake

1 ClientHello

7 Certificate

8 ClientKeyExchange

9 CertificateVerify

10 ChangeCipherSpec

11 Finished

6ServerHelloDone

13Finished

2ServerHello

3Certificate

4ServerKeyExchange

5CertificateRequest

ChangeCipherSpec 12

Note: Optional or situation-dependent messages that are not always sent

Page 36: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Openssl www.openssl.org Build

download latest openssl package (v1.0.1c – 2012.5.10)

compile package./configmakemake testmake install

RootCA 생성

SSL/TLS - Implementation

Page 37: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

IDS(Intrusion Detection System) IPS(Intrusion Prevention System) L2 ~ L7 pattern matching

IDS/IPS

IPS

Page 38: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Pattern Matching Regular Expression

| : gray | grey? : colou?r matches both "color" and "colour“* : ab*c matches "ac", "abc", "abbc", "abbbc", …..+ : ab+c matches "abc", "abbc", "abbbc", ….,

but not "ac".

DFA(Deterministic Finite Automaton) NFA(Nondeterministic Finite Automaton) PCRE(Perl Compatible Regular Expression) HFA(Hyper Finite Automaton)

IDS/IPS

Page 39: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Snortwww.snort.orglatest version : 2.9.3.1 (2012.8)

IDS/IPS - Implementaion

Page 40: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Output Plug-ins

Output to log file, console etc

Detection Engine

Detection Plug-insReferences

Preprocessors

Decoder

Packet Capture Module

Packets from wire

Output Notification

Host

SnortRunning

OnSystem

Rule Storage

SnortXL Output Agent SnortXL Input Agent

Rules etc.

Packet Out Module

Packets back on the wire

(for IPS only)

IDS/IPS - Implementaion

Architecture

Page 41: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Security Services

Page 42: Security Implementation : Products and Servicesocw.dongguk.edu/contents/2013/2013222111152/pdf2013222111152.pdfSecurity Vulnerability Definition weakness in a product that could allow

Security Services

Security Consulting Service 모의 해킹, 보안 점검, Consulting

Security Monitoring/Management Remote Security, Network Monotoring/Management

Patch Management Windows patch Virus patch Software patch

Training