Introduction. Network Security HS Security Trends

(1)

Network Security HS 2014

Introduction

Network Security HS 2014

(2)

NSHS08H8353226 ETH Zurich, Bernhard Plattner Intro – Network Security 3

Why is network security an issue?

§ Email, web sites, video conferencing, instant messaging, voice over IP, e-commerce, e-government, distributed control systems (for energy, water, traffic etc.), social networks ...

à Economy and our life more and more depends on the Internet

à Distributed information systems have become critical infrastructures

§ Open systems

à technology is standardized and is no longer a secret

§ Insecurity driven by organized crime

à Entirely new «business models»

§ Huge and fast growing Internet user base (est.: 2.80 billion)

à increasing risk (both damage potential and probability of

occurrence increase)

http://www.internetworldstats.com/stats.htm

Internet Security Evolution

(3)

Cybercrime is now a business

Klikparty, 2007 Credits Engin Kirda

(4)

Network Security HS 2014

Security Threats

Asymmetric threat and leverage

§

Asymmetric Threat

§ IT and the Internet continually give attackers new opportunities for leverage

- automation, technique propagation - distant action in a network

- security unaware users join the Internet

§ Attacker tries a few exploits on a few systems, but defenders must secure all systems against all exploits

§

Leverage

§ You may reach 100 million potential subjects (customers, or victims)

§ We can’t count on previous constraints (e.g. travel cost, cost of physical shipment) to limit the effectiveness of an attacker

(5)

Attacker Motivation

§

Ego

§ To show the world what one can do

§ To impress peers

§ To live some fantasy of omnipotence

§

Revenge, destruction, creation of fear: § Cyber warfare

§ Terrorism

§ Secret service activities (Stuxnet 2010, Snowden/NSA 2013)

§ Direct revenge (e.g. a disgruntled former employee)

§

Criminal intent

§ Blackmail, racketeering (Schutzgelderpressung)

§ Credit card fraud

§ Infiltrating e-banking

§ Spamming, phishing

Attacker Motivation (cont.)

§

Acquisition of computing and network resources:

§ Typically commercial motivation, stealth is usually desired

§ Has become widespread in the last few years: Botnets

- The cybercriminal’s cloud

- Botnets have 10k to >1M hosts, have been used in DoS attacks...

§ Often causes overall network degradation and cost for

protection (e.g. Spam) à collateral damages are significant

§

Acquisition of sensitive information:

§ Industry espionage by competitors and intelligence agencies

§ Undercover criminal investigations (“On-line-Durchsuchung” in Germany, http://www.spiegel.de/netzwelt/tech/0,1518,464629,00.html)

(6)

What can attackers do?

§

Attack flow of information

§ Send fake messages § Replay messages

§ Modify messages in transit

§

Attack services to achieve

denial of service

§ Overload system resources

§

Attack Internet

infrastructure

§ DNS, BGP, ARP

§

Gain unauthorized access

to services

§

Infiltrate security protocols

or processes (e.g. MITM)

§

Change system functions

§ Infiltrate system with attack code

§

Modify foreign web pages

§ change appearance of a webpage

§ Place attack code

§

Hijack user sessions

§ E-banking

§

Assume false identity

§

Use social engineering to

establish trust

§

Break crypto

§

etc.

Where are the attack targets?

§

Hackers attack us where we sit: Client-side attacks

dominate

§ Browser attacks now target plug-ins

§ IFrame based attacks are now prevalent

§

Attacks of all shapes and sizes

§ Anti-virus worms

§ Social networking attacks - MySpace & Facebook

§ Phishing - banking industry is target #1

§ Web mines - www.goggle.com rather than

www.google.com

§ Documents - PDFs are no longer safe!

§

Data stored on end-points is often most valuable and

the least protected!

(7)

Network Security HS 2014

(8)

What is the goal of „security“?

§

Confidentiality

§

Integrity

§

Availability And more:

§

Authenticity

§

Accountability

§

Non repudiation

§

Privacy The CIA triad

C

I

A

Glossary:

Confidentiality: prevention of unauthorized disclosure of information

Integrity: prevention of unauthorized modification or deletion of information

Availability: prevention of unauthorized withholding of information

Attack classification

Passive attacks

Confidentiality

Compromise

of content Traffic analysis

Active attacks

Denial of service

Modification

Fabrication

Availability Integrity and Authenticity

Replay

(9)

Establishment of a virtual secure channel

Alice Bob Secure Channel Source authenticity Authorized recipients

Security

measures

Content integrity, confidentiality

Internet

What is a “secure channel”?

Not confidential channel

An attacker can eavesdrop on all information sent.

Confidential channel

No eavesdropping possible on information sent.

Not authentic channel

The receiver has no guarantee that the sender is the one he claims to be, and that the content is original.

Authentic channel

The receiver can be assured that the sender of the information is the one he claims to be and that the content is original. Channel type Not confi-dential confi-dential Not authentic authentic

(10)

Secure communication using insecure

channel

Sender Receiver Channel Security trans-formation Message Secret Key 1 Attacker

• Has full access to the physical channel • Knows all mechanisms and protocols • Does not know any secret keys

Security trans-formation Message Secret Key 2 encryption decryption Part of Kerckhoff’s design principles

for military ciphers

Access control

Information system (hardware, software, storage, applications)

Local security measures

Access control

attacker Legitimate

user

(11)

System Map: Security on different OSI layers

Application Transport Network Physical Layer Application Transport Network Physical Layer Application Transport Network Physical Layer User Interface User Interface Quantum Cryptography IPSEC SSL SSH Link encryption Auth Auth Auth

Intrusion detection/protection, spam filtering, economic incentives, legal enforcement, forensics

Hardware and software platforms and environments

Network Security HS 2014

Conclusions

(12)

Take Home Message

§

Decades of security problems:

Security is a process, not a one time thing

§

What is the security goal? Know the CIA triad!

§

Attacks differ a lot but can be classified

§

Cryptography can provide secure channels in an insecure network

§

Security can be implemented at different OSI layers

§

Know some significant historic attack cases (see reader on Moodle)

Threats to Civilization

(13)

November 2014

Firewall Techniques

Bernhard Plattner TIK-CSG / [email protected]

Firewall techniques

§

What is a firewall?

§ A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network which has different levels of trust.

§

Types of operation

§ Simple packet filter

§ Stateful filter

§ Application layer/ proxy based

(14)

Firewall Rules

§

Filtering

§ Ingress: Filter incoming traffic

§ Egress: Filter outgoing traffic

§

Default Policy

§ Accept all versus reject all

§

Deny Access

§ Drop - silently drop packet

§ Reject - drop packet and inform sender

§

Transparency

§ firewall and network fingerprinting

Firewall Rule Processing

(15)

Stateless Firewall - Packet Filter

Functionality

§

examine a packet at the network layer

§

decision based on header in packet

Pros

§

application independent

§

good performance and

scalability Cons

§

No state or application context

Source: CheckPoint

Stateful Firewall

Functionality

§

keep track of the state of the network connections

§

decision based on session state

Pros

§

easyer to specifiy rules Cons

§

state explosion

(16)

Application Layer Firewall

Functionality

§

take application state into security decision

Pros

§

application layer awareness Cons

§

supported application protocols

§

performance, scalability

Firewall Attack/Bypass Techniques

§

IP Address spoofing

§

Fragmentation

§ the port number is only in the first fragment meaning that filtering on TCP or UDP is lost

§ without reassembly, attack gets through

§

Vulnerabilities

§ exploiting vulnerabilities in firewall software/OS

§

Denial of Service

§ state explosion (what‘s the FW fallback policy?)

§

Tunneling/covert channel

(17)

Firewall Detection 1

§

Port scanning

§ identify potential firewall IP through traceroute

§ port scan targets, analyze response

- Check source IP of responses of blocked/open ports - Analyze differences in responses

§

Firewall defense

§ firewall improves obscurity by spoofing the source address of the RST/ACK packet to be that of the target host

Tools: nmap, firewalk, hping

Firewall detection 2

§

Play with Time to Live (TTL)

§ set packet TTL to expire one hop past firewall

§ if packet is passed by firewall, a TTL expired should be received

§ If packet is blocked by firewall, either of the following could occur:

- an ICMP administratively prohibited response is received.

- the packet is dropped without comment.

§

Firewall defense

§ firewall checks for low TTL

(18)

November 2014

Firewall implementation

Firewall setup: Two Variants

Internet

Protected internal network (DMZ – „de-militarized zone“) Variant 1

Internet Protected_internal

network (DMZ – „de-militarized zone“) Firewall Variant 2 Firewall 1 DNS Firewall 2 public servers DNS public servers

(19)

Firewalling with Linux iptables: How packets

traverse the kernel

Destination NAT (Pre-Routing) Source NAT (Post-Routing) Local Process Drop Input Chain Forward Chain Output Chain Routing Drop Drop ipchains or iptables

Chains

§

Chain: Set of rules which are interpreted

sequentially

§

Interpretation stops when a target

or the end of the

chain is reached

§

Targets: ACCEPT, DROP, REJECT, LOG, RETURN

§

Built-in chains: INPUT, OUTPUT, FORWARD

§

Chain policy: Sets implicit target at the end of the

chain

§

User-defined chains: Like subroutines

§

When end of chain is reached:

§ If a built-in chain: Policy of the chain is applied

§ If a user-defined chain: Next rule of the calling chain will be applied (implicit RETURN)

(20)

Operations on chains

§

Create new chain –

iptables –N chain_name

§

Erase all rules in chain –

iptables –F chain_name

§

Remove empty chain –

iptables –X chain_name

§

Set chain policy –

iptables –P chain_name target

§

Managing rules in a chain

add: iptables –A chain_name rule_spec delete: iptables –D chain_name rule_num insert: iptables –I chain_name [rule_num]

rule_spec

Rules

§

A rule specifies a filter and optionally a target

§

Rules may be inserted in chains and deleted

from chains

à

chains can be built up and

changed dynamically

§

Filters can use different criteria (match or don‘t

match)

§

Source and destination addresses:

-s, -d

§

Protocols:

-p

§

Interfaces:

-i, -o

(21)

Examples

iptables –L INPUT

iptables –P INPUT DROP

iptables –A INPUT –s 129.132.16.11 –p icmp –j DROP

iptables –A INPUT –s ! 129.132.16.11 -j ACCEPT

iptables –A INPUT –p ! tcp -j DROP

iptables –D INPUT 14

Documentation

§

A compact user guide to iptables:

http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html

(somewhat outdated)

§

An extensive tutorial on IP and iptables:

http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

§

Ubuntu:

https://help.ubuntu.com/community/IptablesHowTo

http://www.internetworldstats.com/stats.htm

http://www.spiegel.de/netzwelt/tech/0,1518,464629,00.html

www.goggle.com

www.google.com

http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html

http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

https://help.ubuntu.com/community/IptablesHowTo