NETWORK SECURITY
PART1: Security
at the Network Layer: IPSec
IP Security:
• IP Security
(IPSec) is a collection of protocols designed
to provide security
for a packet at the network level.
•
It helps to create authenticated and confidential packets
for IP layer.
• IPSec supports
data integrity, data confidentiality, data origin authentication, and replay protection
at n/w level.
• IPSec is integrated at the Internet layer; it provides security
for almost all protocols in the TCP/IP suite.
• Functional areas
of IPSec are…...... 1. Authentication 2. Confidentiality 3.
Key
Management
IPSec Services
•
Confidentiality (encryption) - ensuring
that the data has not been read en
route
•
Message integrity - ensuring the data has not been changed by route
•
Data origin
authentication - identifying who sent the data
• Anti-Replay service– detecting packets received more than once to help protect against denial of service attacks.
•
Access control
 |
IPSec Protocol Modes :
A mode is the method in which the IPSec
protocol is applied
to the packet. SAs operate using modes.
1.
Transport mode:
· It can only be used between
end-points of a communication.
· The IPSec layer comes between the transport layer and the network layer.
·
IPSec in transport mode does
not protect the IP header;
it only protects the
information coming from the transport layer.
2.
Tunnel mode:
·
Tunnel mode normally used b/w two
routers, b/w a host and a router, or b/w the sender and the router and host.
Ie. It is used when either the sender or the
receiver is not a host.
·
The IP packet flow is from the
network layer to the IPSec layer and then
back to the network layer again.
·
IPSec protects the entire
IP packet. It takes an IP packet,
including the header,
applies IPSec security methods to the entire packet, and then adds a new
IP header.
·
 |
IPSec in tunnel mode protects the original IP header.
Comparaison :Transport mode versus
tunnel mode
 |
TWO SECURITY
PROTOCOL :
IPSec defines
two protocols—
1.
Authentication Header (AH) Protocol
2.
Encapsulating Security Payload
(ESP) Protocol
Authentication Header
(AH)
The Authentication Header (AH) is a part of
the IP Security (IPsec) protocol
suite, which
•
Provides Data integrity and
Authentication for
IP packets.
– Ensures that its contents
have not been changed during
the transmission and authenticates the origin of IP packets
•
Provide protection against
replay attacks. (optional)
It is based on the use of a message authentication code (MAC)
 |
Authentication Header
consists of following fields:
•
Next header
(8 bits): Identifies the type of header immediately following this header.
•
Payload Length(
8 bits): Length of AH in
32-bits words minus 2
•
Reserved (16-bits): Future use
•
Security Parameters Index (32-bit): Identifies security association
•
Sequence number(32-bits): Increasing counter value
• Authentication Data(Variable length):
Contains Integrity Check Value(ICV) or MAC of this packet
 |
Encapsulating Security
Payload (ESP)
Provides message content
confidentiality, data origin
authentication, connectionless integrity, an anti-replay service,
limited traffic flow confidentiality
The ESP protocol was designed after the AH protocol was already in use.
ESP does whatever AH does with
additional functionality (privacy).
Fields in
ESP packet:
• Security Parameters Index (32 bits): Identifies a security association.
• Sequence Number (32 bits): A monotonically increasing counter
value; this provides an anti-replay function
• Payload (variable): This is a transport-level segment (transport
mode) or IP packet (tunnel
mode) that is protected by encryption.
•
Padding (0 – 255 bytes)
• Pad Length (8 bits): Indicates
the number of pad bytes immediately preceding this field.
• Next Header (8 bits): Identifies the type of data contained in the payload
data field by identifying the first header in that payload (for example, an extension header in IPv6, or an
upper-layer protocol such as TCP).
• Authentication Data (variable): A variable-length field that contains
the Integrity Check Value
computed over the ESP packet minus the Authentication Data field.
 |
Anti-Replay service
:
• Retransmission of authenticated packet
is possible.
• Uses Sequence
Number field to counter replay
attack.
Sender side …
•
Sender initiates
the SA, and sends message
with sequence number
1.
•
Limitation of sequence numbers - (232 – 1)
• After reaching
the limit sender terminate this SA and starts a new SA with a new key.
Receiver side mechanisim ……
•
Maintains IP Authenticated packets window of size ‘W’( default
W=64 ).
• Right end of widow
is the highest sequence number,
N, of the received packets.
• If a received packet
with in the range from N-W+1 to N, the corresponding slot in
window is marked.
Replay window
 |
SECURITY ASSOCIATION
IPSec requires
a logical relationship, called a Security Association (SA), between two hosts.
• An association is a one-way relationship between a sender
and a receiver that affords
security services to the traffic carried on it.
•
An SA is a logical connection between two devices
transferring data.
• An SA provides data protection for unidirectional traffic
by using the defined IPSec protocols.
Simple SA
 |
Security Association Database (SAD)
 |
Every user maintains Security Association Database to store details of SAs. Every index row is indexed with <SPI,DA,P>
Example:
 |
Typical SA Parameters
 |
SECURITY POLICY
The Security
Policy (SP), which defines the type of security
applied to a packet when it
is to be sent or when it has arrived. Before using the SAD, a host must
determine the predefined policy for the packet.
Security Policy
Database
 |
Outbound processing
 |
Inbound processing
 |
INTERNET KEY EXCHANGE (IKE)
The Internet
Key Exchange (IKE) is a protocol designed
to create both inbound and outbound
Security Associations. IKE creates SAs
for IPSec.
 |
Improved Diffie-Hellman
Diffie-Hellman with cookies
To protect
against a clogging
attack, IKE uses cookies.
 |
IKE Phases:
IKE is divided into two phases:
phase I and phase II. Phase I: creates SAs for phase II;
 |
Phase II: creates SAs for a data exchange protocol such as IPSec.
Main-mode or aggressive-mode methods
 |
Main mode, preshared secret-key method
Main mode, revised
public-key method
Main mode, original
public-key method
Main mode, revised
public-key method
 |
Main mode, digital signature method
Aggressive mode,
preshared-key method
Aggressive mode, revised
public-key method
 |
Quick mode
 |
Internet Security
Association and Key Management Protocol
(ISAKMP)
The ISAKMP
protocol is designed
to carry messages
for the IKE exchange.
Internet
Security Association and Key Management Protocol (ISAKMP) is used for
negotiating, establishing, modification and deletion of SAs and related
parameters. It defines the procedures and packet formats for peer
authentication creation and management of SAs and techniques for key generation. It also includes
mechanisms that mitigate
certain threats – e.g., Denial Of Service (DOS) and
anti-replay protection.
In
ISAKMP, SA and key management are separate from any key exchange protocols; so,
in a sense ISAKMP is an "abstract" protocol – it provides a framework
for authentication and key management and supports many actual key exchange
protocols (e.g., IKE). ISAKMP defines header
and payload formats, but needs an instantiation to a specific
set of protocols. Such an
instantiation is denoted
as the ISAKMP Domain Of Interpretation (DOI):
an example of this for the IPsec/IKE is the IPsec DOI.
ISAKMP
operates in two phases. During phase 1, peers establish an ISAKMP SA – namely,
they authenticate and agree on
the used mechanisms to secure further communications. In phase 2 this ISAKMP SA is used to negotiate
further protocol SAs (e.g., an IPsec/ESP SA). After the initial establishment of an ISAKMP SA,
multiple protocol SAs can be established.
ISAKMP general header
 |
 |
SYSTEM SECURITY
UNIT VIII
Intruders
•
Topics to be covered
–
Definition
–
Classification
–
Intruder Behavior Patterns
–
Intrusion techniques
1.
Intruders
•
Intrusion is
the act of gaining unauthorized access to a system so as to
loss or harm.
•
Either via network or local
Definition of intruder:
•
An Intruder is a person who attempts
to gain unauthorized access to a system, to damage that system, or to disturb data on that system.
2.
Classification of Intruder
•
Can identify classes
of intruders:
– Masquerader : - An
individual who is not authorized to use the computer
(outsider)
– Misfeasor :
- A legitimate user who accesses unauthorized data, programs, or
resources (insider)
– Clandestine user :
- An individual who seizes supervisory control of the system and
uses this control to evade auditing and access controls
or to suppress audit
collection (either)
Intruders
•
Clearly a growing
publicized problem
– From “wily hacker” in 1986/87
–
To clearly escalating CERT stats
•
May seem benign,
but still cost resources
•
May
use compromised system
to launch other attacks
•
Awareness of intruders has led to
the development of CERTS
(computer emergency response
teams)
Examples of intrusion:
•
Performing a remote
root compromise of an e-mail
server
•
Defacing a Web server
•
Guessing and cracking
passwords
•
Copying a database
containing credit card numbers
•
Viewing sensitive data, including payroll
records and medical
information, without authorization
•
Running a packet sniffer
on a workstation to capture usernames and passwords
•
Using a permission error on an anonymous FTP server to distribute pirated software and music
files
•
Dialing into an unsecured modem and gaining
internal network access
•
Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password
•
Using an unattended, logged-in
workstation without permission
3.
Intruder Behavior Patterns
•
The techniques and behavior patterns
of Intruder are
constantly changing
–
Different tasks to avoid detection, make use of new attack vectors.
•
Still, intruders follow one of a
number of recognizable behavior patterns, and these patterns typically differ from those of
ordinary users. So, those patterns can be detected.
•
Several Examples Follow:
–
Hackers
–
Criminals enterprise
–
Insider Attacks
Intruder Behavior Patterns contd..
•
Hackers: who hack into the system for thrill.
•
Criminals
enterprise: Organized groups of hackers. They can be employees of a
corporation or government . A common target
is a credit card file at
an e-commerce server.
•
Insider Attacks:
Employees already have access and knowledge about the structure and
content of corporate databases. Attacks for revenge.
Hacker
1.
Select the target using IP lookup
tools such as NSLookup, Dig, and others.
2.
Map
network for accessible services using tools such as NMAP.
3.
Identify potentially vulnerable services.
(in this case, pcAnywhere).
4.
Brute force (guess)
pcAnywhere password.
5.
Install remote administration tool called DameWare.
6.
Wait for administrator to log on and capture
his password.
7.
Use that password
to access remainder of network.
Criminals enterprise
1.
Act quickly
and precisely to make their activities harder to detect.
2. Exploit perimeter through vulnerable ports.
3.
Use Trojan
horses (hidden software) to leave back
doors for reentry.
4. Use sniffers to capture passwords
5. Do not stick around
until noticed.
6. Make few or no mistakes
Insider Attacks
1.
Create network
accounts for themselves and their friends.
2.
Access
accounts and applications they wouldn't normally use for their daily jobs.
3. E - mail former
and prospective employers.
4. Conduct furtive
instant - messaging chats.
5.
Visit Web sites that cater to disgruntled
employees, such as f'dcompany.com.
6. Perform large
downloads and file copying.
7. Access the network during
off hours.
4.
Intrusion Techniques
•
The
objective of the intruder
is to gain access
to a system or to increase the range of privileges accessible on a system.
•
Key goal often is to acquire
passwords
•
System must maintain a file that associates a password with each authorized user.
•
The
password file can be protected
in one of two ways:
–
One-way
function: The
system stores only the value of a function based on the user's password. When the user presents a
password, the system transforms that password and compares it with the stored
value.
–
Access control: Access to the password
file is limited to one or a
very few accounts.
•
Number of password crackers, reports
the following techniques for learning passwords:
1. Try default passwords used.
2. Try
all short passwords (those of one to three characters).
3. Try
words in the system's online dictionary or a list of likely passwords.
• Examples of the latter
are readily available
on hacker
bulletin boards.
Intrusion Techniques contd…
4.
Collect information about users,
•
such as their full names, the names
of their spouse and children, pictures in their office,
and books in their office that are related to hobbies..
5. Try users' phone
numbers, social security numbers, and room numbers.
6. Try all legitimate license plate numbers
for this state.
7. Use a Trojan
horse to bypass
restrictions on access.
8. Tap the line between a remote user and the host system.
Password Guessing Attack
•
One of the most common attacks
•
Attacker knows a login (from
email/web page etc)
•
Then attempts to guess password
for it
–
Defaults, short passwords, common word searches
–
User info (variations on names, birthday, phone, common words/interests)
–
Exhaustively searching all possible passwords
•
Check by login or against
stolen password file
•
Success depends on password chosen
by user
•
Surveys show many users choose poorly
Password Capture
•
Another attack involves
password capture
–
Watching over shoulder
as password is entered
–
Using a Trojan
horse program to collect
–
Monitoring an insecure
network login
•
Eg. Telnet, FTP, web, email
–
Extracting recorded info after successful login
(web history/cache, last number dialed etc)
•
Using valid login/password can impersonate user
•
Users need to be educated to use suitable precautions/countermeasures
Intrusion Techniques contd..
•
Countermeasures for intrusion:
–
Intrusion Detection
–
Intrusion Prevention
Intrusion Detection
•
Inevitably will have
security failures
•
So need also to detect intrusions so can
–
Block if detected
quickly
–
Act as deterrent
– Collect info to improve
security
•
Assume intruder will behave differently to a
legitimate user
–
But will have imperfect distinction between
Reasons to have an intrusion detection system:
1.
If an intrusion is detected quickly, the intruder can be identified and ejected from the system before any damage
is done or any data are compromised.
– If intrusion is detected, the less
the amount of damage and the more quickly that recovery can be
achieved.
2. An
effective intrusion detection system can serve as a deterrent (prevention), so acting to prevent intrusions.
3. Intrusion
detection enables the collection of
information about intrusion techniques that can be used to strengthen
the intrusion prevention facility.
Approaches to Intrusion
Detection
•
Statistical anomaly detection
–
Threshold detection
–
Profile based
•
Rule-based detection
–
Anomaly
–
Penetration identification
•
Statistical
anomaly detection: Involves
the collection of data relating to the behavior
of legitimate users over a
period of time. Then statistical tests are applied to observed behavior to
determine with a high level of confidence whether that behavior is not
legitimate user behavior.
•
Rule-based detection: Involves an attempt to define a set of rules that can be used
to decide that a given behavior is that of an intruder.
1. Audit Records
•
Fundamental tool for intrusion detection
•
Some record of ongoing activity by
users must be maintained as input to an intrusion detection system
•
Native audit records
–
part of all common multi-user O/S
–
already present for use
–
may not have info wanted in desired
form
•
Detection-specific audit
records
–
created specifically to collect wanted
info
–
at cost of additional overhead
on system
a.
Native audit records:
•
Almost all multiuser operating systems include accounting software that collects
information on user activity.
•
The
advantage of using this information is that no additional collection software is needed.
•
The
disadvantage is
that the native
audit records may not contain the needed information or may not contain
it in a convenient form
b.
Detection-specific audit
records:
•
A
collection facility can be implemented that generates audit records containing only that information
required by the intrusion detection system.
•
One
advantage of such an approach is that it could be made vendor independent and
ported to a variety of systems.
•
The disadvantage is the extra overhead involved in having, in effect, two accounting
packages running on a machine.
Example of detection-specific audit records:
Each audit
record contains the following fields:
•
Subject: Initiators of actions.
–
A subject is typically a terminal
user but might also be a process acting on behalf of users or groups of users.
All activity arises through commands issued by subjects. Subjects may be grouped
into different access classes,
and these classes
may overlap.
•
Action: Operation performed by the subject on or with an object;
–
for example, login,
read, perform I/O, execute.
•
Object: Receptors of actions.
–
Examples include files, programs,
messages, records, terminals, printers, and user- or
program-created structures. When a subject is the recipient of an action, such as electronic mail,
then that subject is considered an object. Objects
may be grouped by type.
Object granularity may vary by object
type and by environment. For example, database actions may be audited for the database as a whole or
at the record level.
•
Exception-Condition: Denotes which, if any, exception condition is raised on
return.
•
Resource-Usage: A list of quantitative elements in which
each element gives the
amount used of some resource
–
(e.g., number of lines printed
or displayed, number of records
read or written,
processor time, I/O units used, session
elapsed time).
•
Time-Stamp: Unique
time-and-date stamp identifying when the action
took place.
2.
Statistical Anomaly Detection
It is divided into two categories:
•
Threshold detection system
–
count occurrences of specific event over time
–
if exceed reasonable value assume intrusion
–
alone is a crude & ineffective detector
•
Profile based system
–
characterize past behavior of users
–
detect significant deviations from this
–
profile usually multi-parameter
Threshold detection
•
Threshold detection involves counting the number of occurrences of a specific event type over an interval of time.
•
If the count surpasses what is
considered a reasonable number that one might expect to occur, then intrusion is assumed.
Profile based
•
Profile-based anomaly detection
focuses on characterizing the past behavior of individual
users or related groups of users and then detecting significant deviations.
•
A profile
may consist of a set of parameters, so that deviation on just a
single parameter may not be sufficient in itself to signal an alert.
Audit Record Analysis
•
foundation of statistical approaches
•
analyze records to get metrics
over time
–
counter, gauge, interval timer, resource use
•
use
various tests on these to determine if current behavior is acceptable
–
mean & standard deviation, multivariate, markov
process, time series, operational
•
key advantage is no prior knowledge used
3. Rule-Based Intrusion Detection
•
Observe events on system
& apply rules to
decide if activity is suspicious or not
•
Rule-based anomaly
detection
–
Analyze historical audit records
to identify usage patterns & auto-generate rules
for them
–
Then observe current behavior
& match against rules to see if conforms
–
Like statistical anomaly detection does not require prior knowledge of security flaws
Rule-Based Intrusion Detection
•
rule-based penetration identification
–
uses expert systems
technology
–
with rules identifying known
penetration, weakness patterns, or suspicious behavior
–
compare audit records
or states against
rules
–
rules usually machine
& O/S specific
–
rules are generated by experts who interview & codify knowledge of security admins
–
quality depends on how well this is done
4. Base-Rate Fallacy
•
practically an intrusion detection
system needs to detect
a substantial percentage of intrusions with few false alarms
–
if too few intrusions detected
-> false security
–
if too many false alarms
-> ignore / waste time
•
this is very hard to do
•
existing systems seem not to have a good record
5. Distributed Intrusion Detection
•
Traditional focus is on single
systems
•
But typically have
networked systems
•
More effective defense has these working together to detect intrusions
•
Issues
–
Dealing with varying
audit record formats
–
Integrity & confidentiality of networked data
–
Centralized or decentralized architecture
Distributed Intrusion Detection -
Architecture
 |
Distributed Intrusion
Detection – Agent
Implementation
 |
6.
Honeypots
•
Decoy systems to lure attackers
–
Away from accessing critical systems
–
To collect information of their activities
–
To
encourage attacker to stay on system so administrator can respond
•
Are filled with
fabricated information
•
Instrumented to collect detailed
information on attackers activities
•
Single or multiple networked systems
•
Cf IETF intrusion detection WG standards
FIREWALLS:
Firewall is a network
device that isolates
organization’s internal network from larger outside
network/Internet. It can be a hardware, software, or combined system that
prevents unauthorized access to or from internal network.
All data packets entering or leaving the internal network pass through
the firewall, which examines each packet and
blocks those that do not meet the specified security criteria.
 |
Firewall is considered as an essential element to achieve network
security for the following reasons −
· Internal network and hosts are unlikely to be properly
secured.
·
Internet is a dangerous place with criminals,
users from competing companies, disgruntled ex-employees, spies from unfriendly
countries, vandals, etc.
·
To prevent an attacker from launching denial of
service attacks on network resource.
·
To prevent illegal modification/access to
internal data by an outsider attacker.
Types of Firewalls:
1. Packet Filtering Routers
2.
Stateful Packet
Filters
3. Application Level Gateway
4.
Circuit Level Gateway
Packet Filtering Router:
Packet filtering firewall is used to control
network access by monitoring outgoing and incoming packet
and allowing them to pass or stop based on source and
destination IP address, protocols and ports. It analyses traffic at the
transport protocol layer (but mainly uses first 3 layers).
Packet filtering firewall maintains a filtering
table which decides whether the packet will be forwarded or discarded. From the
given filtering table, the packets
will be filtered according to following rules:
|
Source ID |
Dest ID |
Source port |
Dest port |
Action |
|
192.168.21.0 |
------ |
------- |
------ |
Deny |
|
------ |
------ |
------- |
23 |
Deny |
|
------ |
192.168.21.3 |
------- |
------- |
Deny |
|
------ |
192.168.21.0 |
------- |
>1023 |
Allow |
Sample packet
Filter Firewall Rule
i.
Incoming packets
from network 192.168.21.0 are blocked.
ii.
Incoming packets
destined for internal TELNET server (port 23) are
blocked.
iii.
Incoming packets
destined for host 192.168.21.3 are blocked.
iv.
All well-known services to the network 192.168.21.0 are allowed.
Advantages:
Packet filters
are faster than other techniques.
Less complicated, in the sense that a single
rule controls deny or allow of packets.
They shield the internal IP address from external world.
They do not require
client computers to be configured specially.
Disadvantages:
Packet filters
do not understand application layer
protocols.
Packet filters
does not offer
any value-added features, such as HTTP
object caching, URL filtering, and authentication because they do
not understand the protocols being used.
Packet filtering routers
are not very secure. Can't discriminate between good and bad packet
Stateful
Inspection Firewall:
Stateful
firewalls (performs Stateful Packet Inspection) are able to determine the
connection state of packet, unlike Packet filtering firewall, which makes it
more efficient. It keeps track of the state of networks connection travelling
across it, such as TCP streams. So the filtering decisions would
not only be based on defined rules,
but also on packet’s
history in the state table.
·
Traditional packet filters
do not examine higher layer context
-Ie matching
return packets with outgoing flow
·
Stateful packet filters
address this need
·
They examine each IP packet
in context
-Keep track of client-server sessions
-Check each packet validly
belongs to one
· Hence are better
able to detect
bogus packets out of context
·
May even inspect
limited application data.
Application Level Gateway (or Proxy):
Application layer firewall can inspect and filter
the packets on any OSI layer, up to application layer. It
has ability to block specific content, also recognize when certain application and protocols (like
HTTP, FTP) are being misused.
In other words, Application layer firewalls are hosts that run proxy servers. A proxy firewall prevents direct connection between
either sides of firewall, each packet has to pass through
the proxy. It can allow or block the traffic based on predefined rules.
Note: Application layer firewalls can also be used as Network Address Translator (NAT).
Advantages:
Direct connections between
internal and external
hosts are disallowed. User-level authentication is
supported.
The application commands are analyzed inside the payload portion of the data packets.
Disadvantages:
Slower than packet filters
Need the internal client
to know about them.
Every possible type of connection cannot
be supported.
Circuit
Level Gateway:
Circuit Level gateways works at the session layer
of OSI model. The TCP handshaking between packets for
determining whether a session requested is legitimate or not is monitored by
Circuit level gateways. The information that is passed to a remote computer
through a circuit level
gateway will appear as if originated from
the gateway. The above process is useful for information hiding
about protected networks. CL gateways are inexpensive.
Advantages:
Private network
data hiding
Avoidance of filtering individual packets Flexible in developing address
schemes
Don’t need a separate
proxy server for each application Simpler to implement
Disadvantages:
Active content
cannot be scanned
or disallowed commands.
Can only handle
TCP connections – new extensions proposed for UDP TCP/IP stacks are mandatorily
be modified by vendor for using CL Gateways.
 |
Comments
Post a Comment