Network Security
Professor
Dr. Adeel Akram
Introduction to Network Security
Course Topics
►
Security basics:
 services: integrity,
availability, Authentication,
etc., Basics of Cryptography
 attacks: interruption,
modification
►
Vulnerabilities and Counter
Measures
 Viruses, worms, Trojan
horses, backdoors,
unused services
►
Exploits
 Buffer Overflow, port
scanning, NESSUS and
related tools, incident
handling and recovery
►
Applications of Security
 System security, intrusion
detection, remote
authorization tools.
 Secure (commerce)
Transactions over a network
slide 3
Course Outline: Basic topics
►
Security basics:
 Services integrity and availability, Authentication, etc.
 Attacks, Interruption, modification
►
Vulnerabilities and Counter Measures
 Viruses, worms, Trojan horses, backdoors
►
Applications of Security
 System security, intrusion detection, remote authorization tools.
 Secure (commerce) Transactions over a network
►
Bio Authentication
 Types of Bio Authentication, Finger Prints, Retina Scans, Voice, DNA
 Algorithms for Bio Authentication
►
Cryptography:
 Symmetric Cryptography, block ciphers, public-key cryptography, number
theory, hash functions, key exchange
slide 4
Course Outline: Network Security








Architecture
Physical and link layer
Network layer
Transport layer
Application layer: DNS, RPC, NFS
Application layer: Routing
Wireless networks
More secure protocols: DNSSEC, IPSEC, IPv6
slide 5
Course Objectives
Introduction to concepts in
► Computer and Network Security:
 To understand vulnerabilities, threats, and counter
measures present in computer and network systems.
► Bio
Authentication:
 To understand different types of human characteristics
and algorithms that are used for authentication
► Internet
and Web Security:
 To understand TCP/IP and DNS security and have some
practical experience in attacking and defending
networked systems
slide 6
Course Objectives
►Cryptography:
 To understand the formal tools available
for securing data and services
 Understand fundamental algorithms in cryptology, risks
and vulnerabilities of networked systems and network
security, use existing protocols for network security to
develop secure systems.
slide 7
Text Books
► Network
Security, Private
Communication in a Public
World, 2/E by C. Kaufman, R.
Perlman, M. Speciner, Phi
Learning (2009)
►
►
Most of the topics from this book will
be followed during this course.
All relevant material will be provided
as notes or as part of the class
slides.
slide 8
Text Books
► Cryptography
and Network
Security, by William Stallings,
Prentice Hall, 4th Edition, 2006
►
►
Few topics from this book will be
followed during this course.
All relevant material will be provided
as notes or as part of the class
slides.
slide 9
Text Books
► Network
Security Essentials,
by William Stallings, Prentice
Hall, 2nd Edition, 2003
►
►
Few topics from this book will be
followed during this course.
All relevant material will be provided
as notes or as part of the class
slides.
slide 10
Other Books
► Ross
Anderson’s “Security Engineering”
 Focuses on design principles for secure systems
 Examples of banking, nuclear command and
control, burglar alarms
► “The
Shellcoder’s Handbook”
 Practical how-to manual for hacking attacks
 Not a required text, but will be extremely useful
for the practical implementation of buffer
overflow attacks
slide 11
Occasional Assigned Reading
► Kevin
Mitnick’s “The Art of Intrusion”
 Real-world hacking stories
 Good illustration for many concepts in this
course
► Start
reading “Smashing the Stack For Fun
and Profit” by Aleph One (from Phrack
hacker magazine)
 Understanding it will provide essential
knowledge for exploiting and protecting OS
stack vulnerabilities
slide 12
Main Themes of the Course
► Vulnerabilities
of networked applications
 Worms, denial of service attacks, malicious code
arriving from the network, attacks on
infrastructure
► Defense
technologies
 Protection of information in transit:
cryptography, application- and transport-layer
security protocols
 Protection of networked applications: firewalls
and intrusion detection
slide 13
Main Themes of the Course
► Study
a few deployed systems in detail:
from design principles to gory
implementation details
 Kerberos, SSL/TLS, IPsec
slide 14
What This Course is Not About
► Not
a comprehensive course on computer
security
► Not a course on ethical, legal or economic
issues
 No file sharing, DMCA, free speech issues
► Only
brief overview of cryptography
slide 15
What This Course is Not About
► Only
some issues in systems security
 No access control, OS security, language-based
security
 Very little about secure hardware
 Will cover buffer overflow: #1 cause of remote
penetration attacks
slide 16
Syllabus (1): Security Mechanisms
► Basics
of cryptography
 Symmetric and public-key encryption,
certificates, cryptographic hash functions,
pseudo-random generators
► Authentication
and key establishment
 Case study: Kerberos
► IP
security
 Case study: IPsec protocol suite
► Web
security
slide 17
 Case study: SSL/TLS (Transport Layer Security)
Syllabus (2): Attacks and Defenses
► Buffer
overflow attacks
► Network attacks
 Distributed denial of service
 Worms and viruses
 Attacks on routing and DNS infrastructure
► Defense
tools
 Firewalls and intrusion detection systems
► Wireless
security
► Spam and phishing
slide 18
Peek at the Dark Side
The only reason we will be
learning about attack techniques
is to build better defenses
Don’t even think about using
this knowledge to attack anyone
slide 19
Motivation
https://
slide 20
Excerpt From “General Terms of Use”
YOU ACKNOWLEDGE THAT NEITHER WELLS
FARGO, ITS AFFILIATES NOR ANY OF THEIR
RESPECTIVE EMPLOYEES, AGENTS, THIRD
PARTY CONTENT PROVIDERS OR LICENSORS
WARRANT THAT THE SERVICES OR THE SITE
WILL BE UNINTERRUPTED OR ERROR FREE;
NOR DO THEY MAKE ANY WARRANTY AS TO
THE RESULTS THAT MAY BE OBTAINED FROM
USE OF THE SERVICES OR THE SITE, OR AS
TO THE TIMELINESS, SEQUENCE, ACCURACY,
RELIABILITY, COMPLETENESS OR CONTENT OF
ANY INFORMATION, SERVICE, OR
MERCHANDISE PROVIDED THROUGH THE
SERVICES AND THE SITE.
slide 21
“Privacy and Security”
“As a Wells Fargo customer, your privacy
and security always come first.”
Privacy policy for individuals
Online privacy policy
Our commitment to online security
Online and computer security tips
How we protect you
General terms of use
slide 22
What Do You Think?
What do you think should be included in
“privacy and security” for an e-commerce
website?
?
slide 24
Desirable Security Properties
► Authenticity
► Confidentiality
► Integrity
► Availability
► Accountability
and non-repudiation
► Freshness
► Access
control
► Privacy of collected information
► Integrity of routing and DNS infrastructure
slide 25
What Drives the Attackers?
► Put
up a fake financial website, collect users’
logins and passwords, empty out their accounts
► Insert a hidden program into unsuspecting
users’ computers, use them to spread spam
► Subvert copy protection, gain access to music
and video files
► Stage denial of service attacks on websites,
extort money
► Wreak havoc, achieve fame and glory in the
blackhat community
slide 26
Network Stack
Phishing attacks, usability
people
email, Web, NFS
application
session
transport
network
data link
physical
Sendmail, FTP, NFS bugs, chosenprotocol and version-rollback attacks
RPC
RPC worms, portmapper exploits
TCP
SYN flooding, RIP attacks,
sequence number prediction
IP
802.11
IP smurfing and other
address spoofing attacks
WEP attacks
RF
RF fingerprinting, DoS
Only as secure as the single weakest layer…
… or interconnection between the layers
slide 27
Network Defenses
People
End users
Password managers,
company policies…
Implementations
Firewalls, intrusion
detection…
Blueprints
Protocols and policies
TLS, IPsec, access
control…
Building
blocks
Cryptographic primitives
RSA, DSS, SHA-1…
Systems
slide 28
… all defense mechanisms must work correctly and securely
Correctness versus Security
► System
correctness:
system satisfies specification
 For reasonable input, get reasonable output
► System
security:
system properties preserved in face of attack
 For unreasonable input, output not completely disastrous
► Main
difference: active interference from adversary
► Modular design may increase vulnerability …
► … but also increases security (small TCB)
slide 29
Bad News
► Security
often not a primary consideration
 Performance and usability take precedence
► Feature-rich
systems may be poorly understood
► Implementations are buggy
 Buffer overflows are the “vulnerability of the decade”
 Cross-site scripting and other Web attacks
► Networks
are more open and accessible than ever
 Increased exposure, easier to cover tracks
► Many
attacks are not even technical in nature
 Phishing, impersonation, etc.
slide 30
Better News
► There
are a lot of defense mechanisms
 We’ll study some, but by no means all, in this course
► It’s
important to understand their limitations
 “If you think cryptography will solve your problem,
then you don’t understand cryptography… and you
don’t understand your problem” -- Bruce Schneier
 Many security holes are based on misunderstanding
► Security
awareness and user “buy-in” help
► Other important factors: usability and economics
slide 31
Reading Assignment
► Review
Kaufman, section 1.5
 Primer on networking
► Start
reading buffer overflow materials on
the course website (CMS)
 “Smashing the Stack for Fun and Profit”
► http://web.uettaxila.edu.pk/CMS/AUT2010/teNSbs
slide 32
Why study computer security?
►
►
►
►
►
(1) Computer security is fundamental to individual privacy.
Many of us keep personal data on our accounts: emails,
bookmarks, coursework.
Many of us use the network to send personal data or
retrieve personal data.
Many remote computers keep personal data for us:
financial data and accounts, medical history.
We want to protect these resources.
slide 33
Why study computer security?
►
►
►
►
(2) Our society is increasingly reliant on the proper operation of
networked computer systems, and integrity of their data.
 Financial and commercial operations, medical operations,
meteorological, government, social welfare, and so one. (not to
mention the Internet itself.)
The protection of these systems is as vital as our dependence on the
services they provide.
An understanding to their limitations is vital.
Exploited systems have resulted in people’s deaths. (Unavailable
forecasts have caused a ship at sea to be lost.)
slide 34
What is cryptology?
► Greek:
“krypto” = hide
► Cryptology – science of hiding
= cryptography + cryptanalysis + steganography
► Cryptography
– secret writing
► Cryptanalysis – analyzing (breaking) secrets
Cryptanalysis is what attacker does
Decipher or Decryption is what legitimate receiver does
slide 35
Steganography
► “Covered”
messages
► Technical Steganography
 Invisible ink, shaved heads, microdots
► Linguistic
Steganography
 “Open code” – secret message appears innocent
► “East
wind rain” = war with USA
 Hide message in low-order bits in GIF
slide 36
Cryptology and Security
Cryptology is a branch of mathematics.
Security is about people.
slide 37
Terminology
Insecure Channel
Plaintext
Alice
Encrypt
Ciphertext
C = E(P)
Eve
P = D(C)
E must be invertible
Decrypt
Plaintext
Bob
slide 38
Cryptography
► Always
involves 2 things:
 Transformation
 Secret
slide 39
Alice and Bob
Plaintext
Encrypt
Ciphertext
KE
Encryption Key
Alice
Decrypt
Plaintext
KD
Decryption Key
C = E(KE, P) = EKE (P)
P = D(KD, C) = DKD (C)
If KE = KD it is symmetric encryption
If KE  KD it is asymmetric encryption
Bob
slide 40
Substitution Cipher
►C
= EK(p)
Ci = K[pi]
► Key is alphabet mapping:
a  J, b  L, ...
► Suppose
attacker knows algorithm but not key,
how many keys to try?
26!
If every person on earth tried one per second, it would
take 5B years.
slide 41
Monoalphabetic Cipher
“XBW HGQW XS ACFPSUWG FWPGWXF
CF AWWKZV CDQGJCDWA CD BHYJD
DJXHGW; WUWD XBW ZWJFX PHGCSHF
YCDA CF GSHFWA LV XBW KGSYCFW
SI FBJGCDQ RDSOZWAQW OCXBBWZA
IGSY SXBWGF.”
slide 42
Frequency Analysis
“XBW HGQW XS ACFPSUWG FWPGWXF CF AWWKZV CDQGJCDWA
CD BHYJD DJXHGW; WUWD XBW ZWJFX PHGCSHF YCDA CF
GSHFWA LV XBW KGSYCFW SI FBJGCDQ RDSOZWAQW
OCXBBWZA IGSY SXBWGF.”
W: 20
C: 11
F: 11
G: 11
“Normal” English:
e
12%
t
9%
a
8%
slide 43
Pattern Analysis
“XBe HGQe XS ACFPSUeG FePGeXF CF AeeKZV CDQGJCDeA
CD BHYJD DJXHGe; eUeD XBe ZeJFX PHGCSHF YCDA CF
GSHFeA LV XBe KGSYCFe SI FBJGCDQ RDSOZeAQe
OCXBBeZA IGSY SXBeGF.”
XBe = “the”
Most common trigrams in English:
the = 6.4%
and = 3.4%
slide 44
Guessing
“the HGQe tS ACFPSUeG FePGetF CF
AeeKZV CDQGJCDeA CD hHYJD DJtHGe;
eUeD the ZeJFt PHGCSHF YCDA CF
GSHFeA LV the KGSYCFe SI FhJGCDQ
RDSOZeAQe OCthheZA IGSY StheGF.”
S = “o”
slide 45
Guessing
“the HGQe to ACFPoUeG FePGetF CF
AeeKZV CDQGJCDeA CD hHYJD DJtHGe;
eUeD the ZeJFt PHGCoHF YCDA CF
GoHFeA LV the KGoYCFe oI FhJGCDQ
RDoOZeAQe OCthheZA IGoY otheGF.”
otheGF = “others”
slide 46
Guessing
“the HrQe to ACsPoUer sePrets Cs
AeeKZV CDQrJCDeA CD hHYJD DJtHre;
eUeD the ZeJst PHrCoHs YCDA Cs
roHseA LV the KroYCse oI shJrCDQ
RDoOZeAQe OCthheZA IroY others.”
“sePrets” = “secrets”
slide 47
Guessing
“the HrQe to ACscoUer secrets Cs
AeeKZV CDQrJCDeA CD hHYJD DJtHre;
eUeD the ZeJst cHrCoHs YCDA Cs
roHseA LV the KroYCse oI shJrCDQ
RDoOZeAQe OCthheZA IroY others.”
“ACscoUer” = “discover”
slide 48
Guessing
“the HrQe to discover secrets is
deeKZV iDQrJiDed iD hHYJD DJtHre;
eveD the ZeJst cHrioHs YiDd is
roHsed LV the KroYise oI shJriDQ
RDoOZedQe OithheZd IroY others.”
slide 49
Monoalphabetic Cipher
“The urge to discover secrets is deeply
ingrained in human nature; even the least
curious mind is roused by the promise of
sharing knowledge withheld from others.”
- John Chadwick,
The Decipherment of Linear B
slide 50
Why was it so easy?
► Doesn’t
hide statistical properties of plaintext
► Doesn’t hide Higher statistics, i.e. relationships
in plaintext (EE cannot match dg)
► English (and all natural languages) are very
redundant
►
Compress English with zip – about 1:6
slide 51
How to make it harder?
► Hide
statistical properties:
 Encrypt “e” with 12 different symbols, “t”
with 9 different symbols, etc.
 Add nulls, remove spaces
► Polyalphabetic
cipher
 Use different substitutions
► Transposition
 Scramble order of letters
slide 52
Network Security
► Most
Computers require some kind of
information sharing.
► Common mode of information sharing with
other computers vary from Sneaker Nets to
High Speed Networks.
► In order to secure individual computers,
Network Security is the essential part.
slide 53
Network Layer Vulnerabilities
►We'll
discuss IPv4, although other protocols can be used at this level
►IP features
Network addresses
IP spoofing
Fragmentation
►IP
Components:
ICMP
►Transport
layer components dependent on IP:
UDP
TCP
slide 54
IP Addresses
►Format
"A.B.C.D" where each letter is a byte
►Class A network : A.0.0.0
Zeroes are used to indicate that any number could be in that position
►Class
B network: A.B.0.0
►Class C network: A.B.C.0
►Broadcast addresses:
255.255.255.255
A.B.C.255
►Special
case
0.0.0.0 and A.B.C.0 can be either treated as a broadcast or discarded
slide 55
Other IP Addresses
► Multicast
(class D)
 224.0.0.0 to 239.255.255.255
► Class
E (experimental, reserved, i.e., wasted)
 240.0.0.0 to 254.255.255.255
slide 56
Junctions
►Router
(gateway)
Works at the network layer (e.g., IP)
Joins subnets
Tries to send packets on the best route
► Performs
routing
►Firewall
Packet filter that enforces policies (through its filtering)
► Can
be transparent and non-addressable
A firewall is not necessarily used as a router (might have only two
interfaces), but it may
A router is not necessarily a firewall
Some configurations have firewalls behind routers
slide 57
Special Networks
►Private
non-routable networks
192.168.0.0
172.16.0.0
10.0.0.0
►Loopback
network
127.0.0.0
Typically only 127.0.0.1 is used
slide 58
CIDR Addresses
►Classless
Inter-Domain Routing
Classes A, B, C too rigid
Add flexibility on a bit level instead of byte level
►W.X.Y.Z/B
B is the number of bits that constitute the network
address
/8 is class A
/16 is class B
/24 is class C
slide 59
IP Packet
►Source
IP
►Destination IP
►Checksum
slide 60
IP Spoofing
►Any
station can send packets pretending to be from any IP address
►Replies will be routed to the appropriate subnet
Route asymmetry
So, attacker might not get replies if spoofing a host on a different subnet
► For
some attacks this is not important
►Analogy
Nothing prevents you from physically mailing a letter with an invalid return address, or
someone else’s, or your own.
Likewise, packets can be inserted in the network with invalid or other IP addresses.
slide 61
IP Spoofing with Amplification
►Use
broadcasts pretending to originate from victim
►All replies go back to victim
►This may use any IP protocol (ICMP, TCP, UDP)
Any application or service that replies using these protocols
Famous attack: Smurf (using ICMP) DoS
►CERT®
Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks
►Many others
►Smurf Amplifier Registry: http://www.powertech.no/smurf/
slide 62
ICMP
►Internet
Control Message Protocol (IP management)
►Error handling and debugging protocol
►Not authenticated!
►Encapsulated inside an IP header
►Message types:
40 assigned
255 possible
about two dozen in use
►References:
Network Intrusion Detection,
http://www.iana.org/assignments/icmp-parameters
slide 63
Basic ICMP Message Types
►0
Echo Reply
►3 Destination Unreachable
►4 Source Quench
►5 Redirect
►8 Echo
►11 Time Exceeded
►12 Parameter Problem
►13 Timestamp
►14 Timestamp Reply
►15 Information Request
►16 Information Reply
slide 64
ICMP Echo
►a.k.a.
Ping
►Destination replies (using the "source IP" of the original message) with "echo reply"
►Data received in the echo message must be returned in the echo reply
►How can this be abused?
slide 65
Scans and Recon
►If
an attacker wants to map your network, the trivial way is
to ping all the IP addresses in your network...
►Therefore, if you allow pings, your network is exposed.
slide 66
Smurf Attack
►Ping
a broadcast address, with the (spoofed) IP of a victim as source
address
►All hosts on the network respond to the victim
►The victim is overwhelmed
►Keys: Amplification and IP spoofing
►Protocol vulnerability; implementation can be “patched” by violating the
protocol specification, to ignore pings to broadcast addresses
►ICMP echo just used for convenience
All ICMP messages can be abused this way
"Fraggle" is the equivalent, using UDP instead of ICMP
slide 67
Other Ping Abuse
►Tribe,
a.k.a. The "Tribe Flood Network" distributed denial of
service attack tool
►Use ICMP echo request and reply as a secret
communication channel to issue commands to infected
computers
Attackers reversed the normal usage of reply and request messages
►Reply
messages used to issue commands and bypass firewalls
►http://staff.washington.edu/dittrich/misc/tfn.analysis
slide 68
Why Do You Need Pings?
►To
troubleshoot when something doesn’t work
►=> if everything works then you don’t need pings,
especially pings from outside your network...
►CAN-1999-0523 (under review)
ICMP echo (ping) is allowed from arbitrary hosts.
slide 69
About These Slides
►
You are free to copy, distribute, display, and perform the work; and to
make derivative works, under the following conditions.
 You must give the original author and other contributors credit
 The work will be used for personal or non-commercial educational uses
only, and not for commercial activities and purposes
 For any reuse or distribution, you must make clear to others the terms of
use for this work
 Derivative works must retain and be subject to the same conditions, and
contain a note identifying the new contributor(s) and date of modification
► Thanks
to the support of Symantec Corporation
slide 70
Questions
???????????????
???????????????
????
adeel.akram@uettaxila.edu.pk