Network Security - Aecessary Job Description

(1)

10 Network Attacks CSCD27 Computer and Network Security 43

Network Protection: Macro Scale

Question: you’re a network/systems admin for a large

campus (like UTSC, or IBM Markham) with thousands of networked devices connected to the Internet – how do you ensure all these devices are secure against attackers?

require all user systems to be administered by IITS or equiv require all user systems to turn off risky services

require all user systems to undergo pen-testing by IITS/equiv Other than sheer number of user-systems, diversity is also

a problem – OS’s, versions of OS’s, installed

software/versions, different hardware configs, … probably can’t even enumerate this let alone secure it!

Attack surface is too large to effectively protect

Network Protection: Firewalls

Approach: focus on the point at which all these

user-systems converge … your link to the Internet

A firewall is a network device/router that can be flexibly configured to open/close network access to hosts (network devices) and/or ports on those hosts going in and/or out of an organization’s network

Firewall enforces an access-control policy: what IP addresses can exchange packets with other IP addresses, and what services can be accessed (TCP/UDP port #’s) “inbound” packets from the Internet trying to get into local

network, “outbound” going the other way

For the most part, we trust the “outbound” but not the “inbound”

(2)

Firewalls

isolates organization’s internal net from larger Internet,

allowing some packets to pass, blocking others

firewall

administered internal network public Internet firewall

trusted “good guys” untrusted “bad guys”

Firewalls: Why?

mitigate denial of service attacks:

SYN flooding, SMURF attack

reduce attacker ability to perform network reconnaissance:

port scanning, network mapping

mitigate unauthorized access/tampering of “internal” network data:

network-attached databases/storage (NAS), Web sites

allow only authorized access to “internal” network set of authenticated users/hosts

three types of firewalls:

stateless packet filters stateful packet filters

(3)

Network Protection: Firewalls

Simple access-control policy:

allow inside hosts to connect to any outside host/service outside hosts subject to restrictions:

o allowed to connect to internal hosts/services intended to be externally visible, e.g. email server, Web server

o blocked from connecting to all other internal hosts/services

How to handle cases not explicitly mentioned in the policy? Default to “allow” – start by allowing packets to pass, and

only turn off when problems arise – hmm …

Default to “deny” – start by blocking packets, and only allow them to pass when users complain – ahh, now that’s more like it! Gets noticed more quickly by people you know – errors less painful than “default allow”

Stateless packet filtering

internal network connected to Internet viarouter firewall

routerfilters packet-by-packet, decision to forward/drop packet based on:

source IP address, destination IP address TCP/UDP source and destination port numbers

ICMP message type

TCP SYN and ACK bits

Should arriving packet be allowed in?

Departing packet let out?

(4)

Stateless packet filtering: example

example 1: block incoming and outgoing datagrams with either: IP protocol field = 17 (UDP) or with TCP source or dest port = 23 (telnet)

result: all incoming, outgoing UDP flows and telnet connections are blocked

example 2: block inbound TCP segments with ACK=0. result: prevents external clients from making TCP

connections with internal clients, but allows internal clients to connect to outside.

Policy Firewall Setting

No outside Web access Drop all outgoing packets to any IP address, port 80 (http) or 443 (https)

No incoming TCP connections, except those connecting to the UTSC public Web server

Drop all incoming TCP SYN packets to any IP except 142.1.96.30, port 80 or port 443

Prevent Web-radios from consuming available bandwidth

Drop all incoming UDP packets -except DNS and router broadcasts

Prevent your network from being used for a smurf DoS attack

Drop all ICMP packets going to a

“broadcast”address (e.g. 142.1.255.255)

Prevent your network from being tracerouted

Drop all outgoing ICMP TTL expired packets

(5)

action source address dest address protocol source port dest port flag bit allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 outside of 222.22/16 UDP > 1023 53 ---allow outside of 222.22/16 222.22/16 UDP 53 > 1023

----deny all all all all all all

Access Control Lists (ACLs)

ACL:

table of rules, applied top to bottom to incoming packets: (action: condition) pairs

Stateful packet filtering

stateless packet filter: blunt instrument

admits packets that “make no sense,” e.g., src port = 80, ACK bit set, even though no TCP connection established:

action source address dest address protocol source port dest port flag bit allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK

stateful packet filter:track status of every TCP connection

track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets “makes sense”

(6)

action source address dest address proto source port dest port flag bit check conxion allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK _Y allow 222.22/16 outside of 222.22/16 UDP > 1023 53 ---allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- Y

deny all all all all all all

Stateful packet filtering

ACL augmented to indicate need to check connection state table before admitting packet

Intrusion Detection Systems (IDS)

packet filtering:

operates on TCP/IP headers only no correlation check among sessions

IDS: intrusion detection system

deep packet inspection:look at packet contents (e.g., check character strings in packet against database of known virus, attack strings)

examine correlationamong multiple packets

o port scanning o network mapping o DoS attack

(7)

Web server_FTP server DNS server Internet demilitarized zone firewall IDS sensors

Intrusion Detection Systems

multiple IDS’s: different types of checking at

different locations in network

internal network

Virtual Private Networks: VPNs

How do you provide secure remote access to local

network services protected by a firewall?

Firewall rules block connections from outside to those services, but employees may need access to restricted resources while travelling, e.g. financial/sales DBs A Virtual Private Network creates a tunnel through the

Internet to an internal VPN server

VPN client/user is assigned an IP on the local network, and so has same access rights as anyone else on local net Provides authentication, confidentiality, integrity, like SSL

e.g. OpenVPN, available for most platforms

(8)

Domain Name System (DNS)

What’s the IP address for www.google.ca? Client 173.194.75.94 (local) DNS Server k.root-server.net .ca ccTLD server .google.ca DNS server

DNS maps symbolic names to numeric IP addresses

DNS Root Name Servers

“root” name servers for “top-level” domains Authoritative name servers for subdomains

Local name resolvers contact authoritative servers when they do not know IP address for a name

DoS attack on root DNS servers, consequence?

b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA e NASA Mt View, CA f Internet Software C. PaloAlto, CA (and 36 other locations)

i Autonomica, Stockholm (plus 28 other locations) k RIPE London (also 16 other locations)

m WIDE Tokyo (also Seoul, Paris, SF)

a Verisign, Dulles, VA c Cogent, Herndon, VA (also LA) d U Maryland College Park, MD g US DoD Vienna, VA h ARL Aberdeen, MD

(9)

DNS Caching

DNS responses are cached

important optimization for repeated translations (very common). How does this speed lookups?

other queries may reuse parts of lookup

o e.g. NS records for domains (e.g. utsc.utoronto.ca) DNS negative queries also cached

don’t have to repeat past mistakes

o e.g. misspellings s.a. goggle.com Cached data periodically times out. Why?

lifetime (TTL) of data controlled by owner of data. What’s the motive for TTL?

TTL transmitted with every DNS record

DNS Vulnerabilities

Users/hosts trust the host-address mapping

provided by DNS:

Used as basis for many security policies, e.g. browser same-origin policy

Obvious problems

Interception of requests or compromise of DNS servers can result in incorrect or malicious responses

o e.g.: hijack BGP route to spoof DNS Solution – authenticated requests/responses

o provided by DNS-SEC … but DNS-SEC deployment is spotty

(10)

DNS Authentication

Request contains random 16-bit TXID

Response accepted if TXID is the same Can remain in cache for long time (TTL)

What’s the IP address for www.google.ca? Client 173.194.75.94 (local) DNS Server k.root-server.net .ca ccTLD server .google.ca DNS server 256 responses: Random TXID y₁, y₂, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP

DNS cache poisoning

Victim machine visits attacker’s Web site (e.g. blog or spam-linked), downloads some JavaScript

user browser local DNS resolver Query: a.bank.com a.bank.com TXID=x1 attacker Attacker wins if ∃j: x₁= y_j

and attacker response arrives first

Response cached and attacker owns bank.com for TTL !!

ns.bank.com IPaddr

(11)

If at first you don’t succeed …

Victim machine visits attacker’s web site, downloads JavaScript

user browser local DNS resolver Query: b._bank.com b_.bank.com TXID=x₂ attacker 256 responses: Random TXID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP

attacker wins if

∃

j:

x

₂

_{= y}

j

success after

≈

256 tries

ns.bank.com IPaddr

Solving DNS Spoofing Problem

Long TTL for legitimate responses

Does this really solve the problem?

Randomize port in addition to TXID

32-bits of randomness, increases effort of birthday-collision attack from 2^8 to 2^16 to guess TXID

DNS-SEC

(12)

DNS Spoofing Defense: DNS-SEC

Authentication, integrity of DNS requests/responses

PK-DNSSEC (public key)

DNS server signs its data (can be done in advance) How do other servers learn the public key?

SK-DNSSEC (symmetric key)

Encryption and MAC: E_k(m, MAC(m))

Each message contains a nonce to avoid replay

Each DNS node shares a symmetric key with its parent Zone root server has a public key (hybrid approach)

DNS Rebinding Attack

Consider a Web server intranet.utoronto.ca

“Private” IP: 192.168.1.100, inaccessible outside utoronto.ca network

Hosts security-sensitive PHP applications and data Attacker at blackhat.com gets utoronto.ca user to browse

www.blackhat.com

Places JavaScript on www.blackhat.com that accesses sensitive application on intranet.utoronto.ca

Attack fails because JavaScript is restricted by the “same-origin” policy (more when we cover Web security)

(13)

F ire w a ll www.blackhat.com web server ns.blackhat.com DNS server 172.64.5.29 www.blackhat.com? Intranet Web server 172.64.5.29 TTL = 0 <script src="http://www.blackhat.com/…">malware</script> <iframe src="http://www.blackhat.com/…"> 192.168.1.100 192.168.1.100

DNS Rebinding Attack

iframe read permitted: considered “same origin”

DNS-SEC cannot stop this attack

Mobile Phone Security

The GSM mobile phone system is

vulnerable to “IMSI catchers” due to its authentication design (phones

authenticate to towers but not vice versa) The above image shows IMSI catchers

detected in the Washington DC central city

Fake cell towers have been detected across the US and EU, and in China signal hijacking is reported to be at epidemic levels (more than 13 million fake connections/day in 2014) A US company sells versions of IMSI catchers that can be

(14)

Mobile Phone

Security

Rayzone sells gear/apps to track users in real-time worldwide, and to perform IMSI catching on selected targets

IMSI targets can have their phone id info captured, security

downgraded, communication jammed, and batteries drained

Both GSM and 3G AKA protocols lack forward-secrecy protection, and require the key for only the tower side of a connection