module-1 introduction to network security - home -...
TRANSCRIPT
CS682-Network Security
Module-1
Introduction to Network Security
SYN
This is CS682, Network Security
There is a lab in RH219, get your accounts
Homework-0 is on-line: Part I, II due next week, Part III, IV due in two weeks
Homework submission:Handover hardcopies at the beginning of the class
Randomly selected students will be asked for demos of their work
Website: http://isis.poly.edu/courses/cs682/
Prerequisites for CS682
CS392Website: http://isis.poly.edu/courses/cs392-f2002/
Textbook: “Computer Security: Art and Science,” Matt Bishop, 0201440997
CS918 or EL537Textbook: “TCP/IP Illustrated, Vol. 1,” Richard W. Stevens
Programming Reference: “Unix Network Programming, Vol. 1,” Richard W. Stevens, 013490012X
Basic Understanding of Operating SystemsCS623 – Operating Systems I
Textbook: “Operating System Concepts,” Silberschatz, Galvin, & Gagne
Prerequisites for CS682
Cryptography & Computer Security:Symmetric & asymmetric key algorithmsKey Exchange, Authentication etc.Hash, Message Digests, Signatures etc.
Networking:TCP/UDP/ICMPIPEthernet, ARP, RARP
Programming Environment:Unix & C (Mostly Linux and ANSI C)CASL (Custom Audit Scripting Language)
Server Netw orkBackbone
Student Network
Accounting
Sales
Informationsystems
Coustomerservice
Humanresources
Server_00
Switch
Internal Router/Firewall
External Router/Firewall
Server_01
Server_02
XYZ Enterprise Network Layout
IDS System
What is This Course about?
We will explore:Various vulnerabilities in network protocols and services.Mechanisms to protect networks.Security tools.
Overview of This Course
TCP/IP SuiteVulnerabilities and solutionsSecurity protocols built on top of TCP/IPSecurity devices and tools to test and protect networks
Network security theory and practiceIn homework
Explore TCP/IP vulnerabilities in detail by exploiting them using CASLLearn to analyze a TCP/IP network for vulnerabilities Write small client/server applications and learn to do penetration testing on your code and algorithm.Learn to setup security devices such Firewall’s and IDS systems, and how to integrate them.“War Games” – A serious one if time permits
Introduction to TCP/IP
R/L =Http Request and ReplyTH/F = TCP Header and FooterIH/F = IP Header and FooterEH/F= Ethernet Header and Footer
CloudNetwork
Host A
HTTP (Web Browser)
TCP
IP
3Com NIC Driver
Host B
HTTP (Web Server)
TCP
IP
1GB NIC Driver
HTTP Protocol
TCP Protocol
Network
EH EFRTH TFIH IF
EH EFLTH TFIH IF
RTH TFIH IF
R
RTH TF
LTH TFIH IF
LTH TF
L
EH EFRTH TFIH IF
RTH TFIH IF
RTH TF
R
EH EFLTH TFIH IF
LTH TFIH IF
LTH TF
L
(Logical Link)
Security Issues in Networking
Life is great here (An ideal life)
Interruption: An asset of the system is destroyed or becomes unavailable or unusable. This is an attack on the availability. Examples include destruction of a piece of hardware, such as a hard disk, the cutting of a communication link, or the disabling of the file management system.
Host A Host BNormal Flow
Host A Host BInteruption
Security Issues in Networking
Interception: An unauthorized party gains access to an asset. This is an attack on confidentiality. The unauthorized party could be a person, a program, or a computer. Examples include wiretapping to capture data in a network. And the illicit copying of files or programs.
Host A Host B
Interception
Host C
Modification: An unauthorized party not only gains access to but tampers with an asset. This is an attack on the integrity. Examples include changing values in a data file, altering a program so that it performs differently, and modifying the content of a message being transmitted in a network.
Host A Host B
Modificition
Host C
Security Issues in Networking
Fabrication: An unauthorized part inserts counterfeit objects into the system. This is an attack on the authenticity. Examples include the insertion of spurious messages in a network or the addition of records to a file.
Attacks can be classified into two broad categories:
Passive Attacks can only observe communications or data
Host A Host B
Fabricition
Host C
Passive Attack
Active Attack
Active Attacks can actively modify communications or data, Often difficult to perform, but very powerful. Example: Mail forgery/modification, and TCP/IP spoofing/session hijacking
Security Issues in TCP/IP
TCP/IP was not designed with security in mindMost of the attacks present today were unheard of during the design of TCP/IP
It was designed to protect DoD network infrastructures
Does not have strong authentication mechanism The primary objective during the design, was to have robust communication protocol that would survive partial network damage.
There was no threat from the insider, the notion of having a malicious node did not exist (Nodes were missile silos)
Network Programming in Unix
Network programming jargons:Address: a bit string identifying a machine
Port: an entry point via network into a machine
Socket: {address, port} pair
Binding: process of attaching to a port
Client-Server Model:
Client ServerResponse
Request
Client-Side Programming
1. Initialize environment
2. Create a socket
3. Identify server’s IP address, port number
4. Establish a connection to server
5. Read/write as if the socket were a file
6. Close connection
7. Exit program
1. struct sockaddr_in server;bzero(&server, sizeof(server));
2. sockfd=socket(AF_INET, SOCK_STREAM, 0)
3. server.sin_family=AF_INET;server.sin_port=htons(80);inet_pton(AF_INET, argv[1], &server.sin_addr)
4. connect(sockfd, &server, sizeof(server))
5. read(sockfd, buffer, max_buffer)
6. close(sockfd)
7. exit(0)
Server-Side Programming
1. Initialize environment
2. Create socket
3. Bind socket to a port
4. Listen on port
5. Accept connection
6. Read/write
7. Close connection
8. Exit program
1. struct sockaddr_in server;bzero(&server, sizeof(server));
2. listenfd=socket(AF_INET, SOCK_STREAM, 0);
3. server.sin_family=AF_INET;server.sin_addr.s_addr=htonl(INADDR_ANY);server.sin_port=htons(80);bind(listenfd, &server, sizeof(server));
4. listen(listenfd, 0);5. connfd=accept(listenfd,
NULL, NULL);6. read(connfd, buffer,
buff_max);7. close(connfd);8. exit(0);
On the Wireconnect()
SYN_SENTSYN
SYN,ACK
listen()
accept()SYN_RCVDESTABLISHED
ACKESTABLISHEDwrite() Request
read()
write()Reply, ACK
ACKread()
close()FIN_WAIT1
FINCLOSE_WAIT
ACKFIN
ACK
FIN_WAIT2 close()LAST_ACK
TIME_WAIT
CLOSED
Client Server
References and Reading Assignments
Read about TCP/IP fromhttp://citeseer.nj.nec.com/cache/papers/cs/21491/http:zSzzSzwww.cs.um.edu.mtzSz~kvelzSzCSA401zSzibm-tcpip.pdf/tcp-ip-tutorial-and.pdf
(Look for “tcp ip security” at http://www.researchindex.com)
From Books 24x7 (http://dibner.poly.edu/)
Read about Linux Socket programming fromBook 24x7
Search in Google for more practical examples
Review CS392 lecture notes for general issues in information security. (http://isis.poly.edu/courses/cs392/)
Taxonomy of Network Vulnerabilities
Vulnerabilities Classification:Improper Design of Protocol (e.g.: 802.11 Security)
Improper Implementation of Protocol (e.g.: Teardrop)
Improper Configuration of Protocol (e.g.: Smurf)
Exploit Modes:Passive Exploits (e.g.: Packet Sniffing)
Blind Exploits (e.g.: Spoofing)
Active Exploits (e.g.: Session Hijacking)
Where to Find Vulnerabilities:Application Level (e.g.: Cross Site Scripting)
Protocol Level (e.g.: Teardrop)
MAC (e.g.: Jamming)
Packet SniffingSniffers are wire-tap devices (software+hardware) that can be plugged into a computer network to eavesdrop on computers in the network.Sniffing requires physical access to network medium.It is a passive activity, in that sniffing doesn’t introduce new packets into network.Sniffing is useful in two ways:
1. Eavesdropping (e.g.: extracting passwords or IDS)2. Traffic Analysis (e.g.: tracking ssh connections)
Packet Sniffers have two phases:1. Packet Capture Phase2. Protocol Analysis Phase
Two essential ingredients for successful sniffing:1. Shared Media2. Promiscuous Mode Operations
Anatomy of a sniffer
In normal mode, network interface card discards packets not destined to the current host.Promiscuous mode disables this function and allows all packets to flow through the network stack.A sniffer would simply capture these packets for consumption.There is more to a sniffer than setting a network card to promiscuous mode.
is destination?no
yes
Application
Normal NetworkInterface Operation
is destination?
Sniffer
Promiscuous ModeNetwork
Interface Operation
Anatomy of a snifferMedia: usually an Ethernet card but it could also be a wireless card or anything else.Capture Driver: software driver to capture and filter network traffic. E.g.: pcap and BPFBuffer: packets must be temporarily buffered prior to storage or processing. Usually fill-buffered or round-robin.Decode: packets must be decoded to a human readable form.Logging: permanent storage of packets for offline analysis.
Media
Decode
Buffer
Capture Driver
Logging/Editing
Pac
kets
Popular sniffers:Ethereal – excellent protocol analyzertcpdump – you’ll use this in homeworkCarnivore – FBI uses this at ISPsAerosnort – 802.11 wireless sniffer
Uses of sniffersStealing clear-text content on the wire and in the air
PasswordsCredit card numbers“Secret” email conversations
Network traffic analysisIf the network content is encrypted then perform traffic analysis to extract partial informationFamous pizza delivery to Pentagon story
Intrusion detection systems are built on sniffersTraffic logging for forensicsFault analysis of networksPerformance analysis to identify bottlenecksAre sniffers bad? Yes and no!
Sniffing out the sniffers…Sniffing is a passive activity, hence done properly it is impossible to detect a sniffer!However, there are some practical solutions
Local detection of promiscuous modeImproper response to pingImproper response to ARP queriesImproper response to DNS queriesSource routing to suspicious nodeEmploying a honeypotNetwork latency monitoringTime-domain reflectometersSNMP monitoring
Can you design a sniffer to counter these detection methods?
Detection of promiscuous mode
If you suspect a machine is running a sniffer then use ifconfig to find out if the NIC is in promiscuous mode.Obviously, you will use an ifconfig binary from a trusted machine or CD-ROM.
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:AA:AA:AA:AA:AA
inet addr:0.0.0.0 Bcast:0.0.0.55 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:595017 errors:0 dropped:0 overruns:0 frame:0
TX packets:113401 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0xb800
Improper Response to Pings
Remember how the sniffers put the network card to promiscuous mode?
Any packet, whether it is destined to the machine or not, is sent thru the network stack.
We can exploit this fact to trick the sniffers to give up their locations.
Send a ping (ICMP Echo Request) to a suspected sniffer with the IP of the sniffer but with a MAC of another machine.What happen in the network stack:1. Card receives the packet2. Since it is in promiscuous mode,
ignores the MAC address, removes the Ethernet header and send the packet to IP.
3. IP checks the IP destination, since it is the proper destination sends the packet to ICMP.
4. ICMP sends an Echo Reply!5. Ooops!
We know we should not be receiving a reply for this packet since the MAC and IP are mismatch!
Improper Response to Pings
This method can be generalized to:1. Any protocol or service that sends a response,
such as TCP connection establishment or telnet.
2. Any protocol or service that generates an error message in response, such as bad IP packets.
Can we fix the sniffer not to give up its location?
Sure. Do more sanity checks on the packets addressed to the machine using a software filter.
Improper response to ARP queries
Similar to the method describe earlier
Send ARP to a non-broadcast address, if a machine replies then it is running in promiscuous mode.
Another method:ARP requests are cached, since the machine that sends the request sends it own mapping in the request.
1. Send a non-broadcast ARP
2. Send a broadcast ping
3. The machine that replies without an ARP could have only gotten the mapping from our previous ARP, so it should be in promiscuous mode.
Improper Response to DNS Queries
Some sniffers do reverse-DNS lookups on IP addresses they see.
To identify sniffers, do a ping sweep on addresses that do not exist.
Watch the DNS server for reverse-DNS queries for these addresses.
By doing a reverse-DNS lookup sniffers violate the passive activity code, they begin to inject packets into network. Probably not a good design decision.
Source routing to suspicious node
In source routing, intermediate routers ignore routing tables and simply forward the packets to next hop in the list.
We use the idea in the following way:1. Create a source routed ping to the suspicious node
2. Make the intermediary nodes non-routing
3. Send the packet on wire
4. If we get a response from suspicious node then the node is on promiscuous mode. Because our intermediary would have dropped the packet since it doesn’t route, so the suspicious node could only have gotten this packet by sniffing the wire.
Other MethodsEmploying a honeypot:
Let a automated script generate clear-text traffic and lure the hackers into sniffing the traffic. The fact that the password issniffed can be used to identify the sniffer.
Network latency monitoring:Uses the fact that sniffers process unusually large number of packets to detect the sniffer. Load the network with dummy packets and ping sweep the machines. The ones with sniffers will have large latency. (Not a viable solution.)
Time-domain reflectometers:TDRs work like RADAR. It sends out a pulse and detects reflections off the wire. This can also detect adressless passive hardware sniffers on the wire.
SNMP monitoring:Lets you track connection details. If a packet takes unusual path on the network, most probably a sniffer is trying to lure packets its way. Known as ARP spoofing.
How to avoid sniffersReplace the hub (shared medium) with a switch (switched medium)
Switch jammingARP spoofICMP RedirectICMP Router AdvertisementsCable taps
Never send clear-text messages on the wireSSH for telnetSFTP for FTPSSL Tunneled IMAP for IMAPPGP for unencrypted emailVPN for clear-text traffic
Broadband and wireless connections are sniffable.
Sniffers and Anti-Sniffers
tcpdump*
Ethereal
Etherpeek
AeroSnort
Snoop
Dsniff
Snort
Antisniff
Sentinel
ifconfig/ifstatus
NEPED (Network Promiscuous Ethernet Detector)
CPM (Check Promiscuous Mode)
Route Discovery
Packets to and from a host have route symmetry on the Internet.Which means, with high probability packets from node A to node B travel the same path as packets from node B to node A.And most often packets from the same source to the same destination follow the same path.Our goal is to find the intermediate nodes a packet travel to reach a remote node.How shall we implement this?
Using IP Record Route Option (RR)We can use IP record route option with ICMP Echo Request (ping –R).This allows intermediate routers to put their IP addresses in the header and when the packet reaches the destination it copies the route into Echo Reply and send it back to the source.This is not a good implementation. Why?
1. Requires all routers to support RR2. Requires a ping server at the destination. Most ping servers
reflect the Echo Request so the return path is also recorded.3. There is no room for long paths. IP header has room for only 9
addresses but routes in current Internet are longer, average is about 14 hops.
So we need an implementation that doesn’t depend on any special servers and works by default on any router.
Using IP TTL FieldTTL field is used as a simple hop count at the routers.When a router receives a datagram with TTL 1 or 0 it discards the datagram and sends a ICMP Time Exceeded message to the source.This Time Exceeded message has the router’s IP as the source address.We can now easily build a route discovery based on this information:i=1while(i<=255){send_UDP(TTL=i, dest, port=65521);if(receive_ICMP(dest) == “Port Unreachable”)
break;++i;
};
Using IP TTL FieldThe algorithm works as follows:
1. We send a UDP packet to a large port number (65521), wrapped in a IP datagram with TTL=1…255
2. When the TTL reaches 1 or 0 routers return ICMP Time Exceeded. Then, we increment TTL by one and send the packet again.
3. When the packet reaches the destination, it sends out a ICMP Port Unreachable message, because it is highly unlikely that any application is listening on the port we randomly chose.
4. Algorithm terminates either when it gets Port Unreachable or TTL=255.
This implementation relies only on default behaviors of routers and a standard UDP implementation at the destination.
Uses of Route Discovery
Maps out the network topology (Look at the map of Internet in our lab)
To get an idea of the network neighborhood
Network fault analysisRouter failures
Routing loops
Network bottlenecks
Route Discovery Tools:traceroute/tracert
Visual Route (fun stuff)
Summary of Today’s LectureYou have two weeks utmost to play catch upDrop by the lab and get your accountsStart working on homework-0We covered:
Extremely quick review of networkingSomewhat quick review of network programmingSniffingRoute discovery
Coming up next week…CASLFingerprintingSpoofing