To Boldly Go! To Go Boldly?
(Whatever…)
Security in University Environments
Kathleen Kimball
Director, Computer and Network Security
Penn State
(814) 863-9533 FAX: (814) 865-2585 24 hr: 863-HELP
Email: krk5@psu.edu
Incident Email: security@psu.edu
Network Security Office
• Responsible for University-wide network security
functions
• Functional Responsibilities include:
Policy Development
Training
Vulnerability Assessment
Risk Analysis
Incident Response
Policy
Director, Computer and Network Security
Training
Vulnerability
Assessment
Risk
Analysis
Incident
Response
Session Overview
• Problem Review
• Security Elements
• Incident Experience
• Is there Hope?
 What needs to be solved?

Current /Future “Solutions”
The University Problem
• Insecure systems, networks and apps (Oh,
my!)
• Insufficient numbers of trained personnel
• Extremely wide-ranging user requirements
• The Barbarians are sometimes inside the
gates
- Complicates some traditional corporate
approaches
• Exploit tools simple enough for a 10 year
old; security tools incomprehensible to a 50
year old
In Short...
We are a very
attractive target….
Security Elements
•
•
•
•
Authentication
Authorization
Confidentiality and Integrity
Accountability
An Important Principle
• Least Privilege
- Perhaps we should call it Appropriate
Privilege
- You should have access to everything
that you need; those without a similar
need should not
Least Privilege (Continued)
• Easy to visualize in terms of applications or
database fields. (In most cases, I should
not have access to your medical or credit
records).
• Needs to be extended to systems and
networks
- System - Turn off unused services; set
file and directory permissions to limit
access to those who truly require access;
limit root and “everyone” access
- Network - does every machine globally
really need to be able to check your
Authentication
• Who are you anyway?
• Methods
User/ID Password
Certs (Not the breath mint)
Tokens or smart cards
Biometrics
Combinations of the above
Does Anyone Really Care About Your
Password?
Cryptographically Secure Certificates
• Selectively promising but also mildly
overhyped
• Problems:
- Whoever issues it has to accept
something to prove who you are - what if
they’re wrong
- Where do you keep your Certs -- your
hard drive is the wrong answer
- How do you unlock them - adequacy of
passphrase or other technique
- On the critical infrastructure side -- how
Other
• Tokens and smart cards
- Good augmentation. Frustrating for the
forgetful
• Biometrics
- Will be more extensively used as the
price becomes more attractive
Rule of Thumb
• Make both Authentication and Authorization
mechanisms proportionate not just to the
value of the data but also to the value of
your system or network to the attacker
Authorization
• Now that you know who I am; what can I
do?
- Usually controlled by database or
extended directory mechanism
- May be individual or role-based
At a system level: What can I access on
the system (relevant permissions)
At a network level: What parts of the
network can I see (or reach out and touch)
Confidentiality and Integrity
• Encryption
- Secret key
- Public/private key
- Digital signatures
- Cryptographically secure checksums
Limitations
• Keylength (Brute Force Attack)
• Non-Random Random Numbers to Generate
Seed
• Compromise of Secret Key
• Poor Passphrase Selection (or keystroke monitor
• Does not substitute for other security measures
(e.g., host security)
Accountability
• Logs are good
- Access to logs can be adequately
controlled; but if the data is not there,
the trail ends
* All the King’s horses, FBI agents or
Galactic Defense Forces cannot trace
something technically in the absence of
logs
Selected Defenses/”Solutions”
•
•
•
•
Encryption
Firewalls
Intrusion Detection
Other
Solutions: Firewalls
• Firewalls are collections of filters and gateways that shield
trusted networks from untrusted networks.
Security Perimeter
Untrusted
Network
Outside
Firewall
Trusted
Network
Inside
Packet Filtering
Untrusted
(Allows or blocks
packets per policy)
Screening Router
Dual-Homed Host
Untrusted
UUnturstedUnntruat
(Firewall)
Screened Subnet
Untrusted
Bastion
Exterior Router
Interior Router
(Perimeter Network)
(Interior Network)
Personal Firewalls
• Can obtain a small hardware based firewall,
but normally this term refers to software
based
• Low cost
• Shows a lot of promise in areas that have
zero investment dollars (e.g., student
residence hall machines)
Limitations
• If the attacker is already on the interior or
trusted network, there’s no protection
• Reasonably easy to bypass (dial-up modem
at the desk)
• Can only address known threats. New
threats may get through
• Does not inhibit viruses (for the most part)
Bottom Line
• Firewalls are useful as part of a “defense in
depth strategy”
• They do not solve all problems, everywhere
• They are less useful in environments where
the barbarians are already inside the gates
INTRUSION DETECTION NEEDED
Intrusion Detection
• Most practical now check for changes in
critical files (e.g., tripwire)
• Much work (particularly government) in
network models
• Some commercial products available
Ultimately this is where we must
evolve. We need not only locks but
also burglar alarms....
Other Issues: Web Security
• Web Security approaches are somewhat
one-dimensional
• Approaches address secure session
conduct and document transmission
• Do not address host security issues,
privacy, denial of service
• ****A “SECURE” SERVER ISN’T (at least not
comprehensively)****
Incidents: A Growth Industry
• A Department of Defense (DoD) tiger
team test:
8932
7860
390
19
systems tested
systems successfully penetrated
sys admins detected the attack
reported the attack
Total Incident Percentages - 1999
Other - 6%
Forgeries - 1%
Spam, Relays, Chain
Letters - 21%
NUMBERS
Total Reported: 3976
Average (Month): 331.3
Denial of Service - 44%
Highest - October (500)
Lowest - July (157)
Electronic Harassment - 4%
Unauthorized Access Attempts - 17%
System-Acct-Data Compromise - 4%
Copyright Violation - 1%
Commercial Use - 2%
Comparison of Incidents by Year
1997 through 1999
Total
Incidents
Highest
Month
Lowest
Month
1997 - 979
1998 - 2310
1999 - 3976
Average
Month
4000
3500
3000
2500
2000
1500
1000
500
0
Selected Intrusion Techniques
• Probes
- Also email borne virii-worms
• IP Spoofing
• Floods (non-distributed)
• Log modification (rootkit)
• “Combo Plate” - Multiple attacks combined
- may involve multiple OS (the latest
“worm”)
• Distributed Denial of Service Attacks
Probes
• Typically automated scans to determine
which services are running on a given port
• Determine vulnerable services and,
optionally attempt to exploit
• Double-edged sword -- Can be extremely
valuable to system administrators
• Examples: Strobe, ISS, nmap
Email Borne Virii-worms
• Hybris
- Snowhite, “Dirty words”
• Romeo and Juliet
• “From” addresses not trustworthy. Some
variants not only replicate “to” email
addressees but may also pull the “from”
address at random from that source
• Digression: Windows Trojans
Log & Utility Changes (Rootkit)
• Used AFTER a system has been
compromised
• Trojans most common tools/utilities that
would enable the intrusion to be detected
(e.g., login, ls, ps, ifconfig, netstat). Trojan
program checksums will match true
distribution.
• Alters log files to eliminate evidence of
activity
Denial of Service
• IP address frequently (but not always)
“spoofed”
• Simple (ping floods, mail bombs)
• Slightly more complicated (Smurf)
• The real mother (Distributed Denial of
Service Attacks)
Ugly is as Ugly DoS
Distributed DoS
Attacker
Master 1
Slave 1
Slave N
Master 2
Slave 1
Slave N
Master N
Slave 1
Slave N
What Needs to be Solved?
• Host Security
- Systems and Network Administration
Will we ever have enough people
with
sufficient training to “get well”
- Education (Catch 22: Interest is
proportional to direct, personal
experience. The most effective security
proponents are those who have just been
exploited)
- VENDOR IMPROVEMENTS
What Needs to be Solved (Continued)
• Network Security
Protocol Vulnerabilities
Authentication and Authorization
Confidentiality and Integrity Protection en
route
Intelligent implementation of distributed
firewall/filtering approaches consistent
with the unique nature of university
environments
Intrusion Detection - implies better logging
Integrated Planning Needed
• THERE IS NO MAGIC BULLET. No one
solution will make your installation secure.
Defense in depth required...Also, defenses
will change over time.
WHAT HAVE WE LEARNED,
GRASSHOPPER?
Incident 1
• Your upstream provider notifies you that all
the machines in a given subnet are actively
flooding an external company
- What’s going on? What do you do? What
went wrong that allowed this to happen?
Incident 2
• The State Police call and report multiple
instances of credit card fraud via a store’s
web-based order form. The IP’s are in your
address space but not ones you instantly
recognize.
Incidents 3 & 4
• A broadcast medium experiences some
disruption. It appears that there are some
unexpected files on the drive. (This is the
second time this has happened this week).
• An administrative desktop machine is
sending unexpectedly large volumes to the
commercial Internet. Suddenly reports of
probes/defaced web pages are received
related to this machine.
Summary
• Security isn’t “going away”. In fact, it’s
becoming the squeaky wheel that must be
oiled - now
• Incidents are becoming technically “neat”
but increasingly difficult to resolve. They
involve more systems and are harder to
detect initially
• If there truly was a “hacker ethic”, it seems
to be eroding
• Examining systems (and preserving
evidence) requires skilled forensic
examination
Questions?