csce 815 network security lecture 21
DESCRIPTION
CSCE 815 Network Security Lecture 21. Intrusion Detection Systems. April 8, 2003. Hackers and Crackers. The Difference A hacker is a person intensely interested in the workings of the Operating System A cracker is someone who breaks into or violates system integrity - PowerPoint PPT PresentationTRANSCRIPT
CSCE 815 Network Security CSCE 815 Network Security Lecture 21 Lecture 21CSCE 815 Network Security CSCE 815 Network Security Lecture 21 Lecture 21
Intrusion Detection SystemsIntrusion Detection Systems
April 8, 2003
– 2 – CSCE 815 Sp 03
Hackers and CrackersHackers and Crackers
The DifferenceThe Difference A hacker is a person intensely interested in the workings of
the Operating System A cracker is someone who breaks into or violates system
integrity
Tools of the TradeTools of the Trade Reconnaissance of targets systems and users Port Scanners Passive Operating System Identification
Exploits and the SANS top 20Exploits and the SANS top 20 Exploits – known ways to break into a system SANS Top 20 Most Critical Internet Security Threats
– 3 – CSCE 815 Sp 03
Tools of the TradeTools of the Trade
Tools of the TradeTools of the Trade Reconnaissance of targets systems and users Port Scanners Passive Operating System Identification
Exploits and the SANS top 20Exploits and the SANS top 20 Exploits – known ways to break into a system SANS Top 20 Most Critical Internet Security Threats
– 4 – CSCE 815 Sp 03
ReconnaissanceReconnaissance
Reconnaissance of targets systems and usersReconnaissance of targets systems and users Social Engineering [Corporate Espionage, Ira Winkler] E.g.
1. Call main number “I’m new employee, what the help desk number?”
2. Call help desk explain again and ask for username, a password, and how to access the system remotely.
3. Help desk worker never questions.
Dumpster diving Impersonations – “This is Dean White and I’ve forgotten my
password and I’ve got to get this email to the President before 5:00. Give me my password!”
– 5 – CSCE 815 Sp 03
ScannersScanners
Port ScannersPort Scanners Programs that check the computer’s TCP/IP stack for ports
in the listen state Port ranges: www.iana.org/assignments/port-numbers
1-1023 – well known e.g. on port 80 the web server is listening 1024-49151 – registered ports 49152-65535 – dynamic ports
TCP three way handshake RFC 793TCP three way handshake RFC 793 TCP packets: SYN, ACK, FIN, RST, sent and response
noted
Scanners – do not use these!!! People will infer things!Scanners – do not use these!!! People will infer things! Nmap (www.insecure.org) hping2
– 6 – CSCE 815 Sp 03
Passive Operating System IdentificationPassive Operating System Identification
aka Operating System Fingerprinting – identify the type aka Operating System Fingerprinting – identify the type of Operating System from it TCP/IP stackof Operating System from it TCP/IP stack
TCP/IP parametersTCP/IP parameters ip_default TTL (time to live) (Linux=64, Windows=128) ip_forward - tcp_sack Selective Acknowledgement Std. (Linux = 1) tcp_timestamps (Linux = 1) tcp_window_scaling (Linux = 1)
Send various packets and observe fields in headers.Send various packets and observe fields in headers.
– 7 – CSCE 815 Sp 03
ExploitsExploits
Exploiting weaknesses in the systemExploiting weaknesses in the system
http://www.online.securityfocus.com/archive/1http://www.online.securityfocus.com/archive/1
– 8 – CSCE 815 Sp 03
SANS Top 20SANS Top 20
SANS Institute SANS Institute http://www.sans.org/top20http://www.sans.org/top20
Top 20 Most Critical Internet Security ThreatsTop 20 Most Critical Internet Security Threats
Common Vulnerabilities and ExposuresCommon Vulnerabilities and Exposures www.cve.mitre.org
– 9 – CSCE 815 Sp 03
Computer SecurityComputer Security
Not a state, it’s a constant processNot a state, it’s a constant process
Configure system as securely as possibleConfigure system as securely as possible
Discover vulnerabilityDiscover vulnerability
Exploit becomes public knowledgeExploit becomes public knowledge
Vendor responds with upgrade or patchVendor responds with upgrade or patch
Stay on top of alerts/patchesStay on top of alerts/patches Learn of exploit Assess potential impact Download patch, test, install
– 10 – CSCE 815 Sp 03
Information OverloadInformation Overload
Web SitesWeb Sites
Mailing ListsMailing Lists Out of 100 messages 12-15 worthwhile Rest: me-too’s and spam
Tips for System AdministratorsTips for System Administrators Set-up special “security” email account Or partition it further Perl scripts analyze email and save into directories by OS
– 11 – CSCE 815 Sp 03
Computer Emergency Response TeamComputer Emergency Response Team
Computer Emergency Response Team (CERT)Computer Emergency Response Team (CERT)
Software Engineering Institute, Carnegie Mellon
www.cert.org
Created in response to 1988 Morris Worm incident
Issued hundreds of advisoriesIssued hundreds of advisories
Responded to more than 140,000 reports of internet break-insResponded to more than 140,000 reports of internet break-ins
Responded to more than 7000 vulnerabilitiesResponded to more than 7000 vulnerabilities
[www.cert.org/stats/cert_stats][www.cert.org/stats/cert_stats]
On call 24 hours a day for those suffering break-inOn call 24 hours a day for those suffering break-in
Others:Others: Dept of Energy Computer Incident Advisory Cap: www.cisc.org/ciac National Inst. of Standards and Tech.(NIST) csrc.nist.gov
Mailing ListsMailing Lists
– 12 – CSCE 815 Sp 03
Usenet Security NewsgroupsUsenet Security Newsgroups
alt.2600.crackzalt.2600.crackz
alt.2600.hackerzalt.2600.hackerz
alt.computer.securityalt.computer.security
alt.hackers.maliciousalt.hackers.malicious
alt.securityalt.security
alt.security.pgpalt.security.pgp
comp.security.firewallscomp.security.firewalls
comp.lang.java.securitycomp.lang.java.security
comp.os.linux.securitycomp.os.linux.security
– 13 – CSCE 815 Sp 03
Physical SecurityPhysical Security
Mentality “firewalls fix everything”Mentality “firewalls fix everything”
More than 50% of security breaches come from insideMore than 50% of security breaches come from inside
Types of HarmTypes of Harm Server compromise Network infrastructure compromise Workstation compromise (Trojans) Loss or theft of proprietary data Transmission of inaccurate data Denial of Service
– 14 – CSCE 815 Sp 03
The Human DimensionThe Human Dimension
Dimension: least risk to mostDimension: least risk to most Members of public Temporary employees Departmental users Infrastructure Server Administrators
Scofflaw employees – that want to bypass security Scofflaw employees – that want to bypass security rules for their convenience, e.g., installing own rules for their convenience, e.g., installing own modemmodem
IT employees: logic bombIT employees: logic bomb
– 15 – CSCE 815 Sp 03
Physical Security: “Do”sPhysical Security: “Do”s
Do: lock wiring closetsDo: lock wiring closets
Do: use switches rather than hubs (esp. for admins)Do: use switches rather than hubs (esp. for admins)
Do: change locks immediately when employee leavesDo: change locks immediately when employee leaves
Do: erase hard drives when you take them out of Do: erase hard drives when you take them out of serviceservice
Do: use a paper shredderDo: use a paper shredder
Do: lock the server cabinetsDo: lock the server cabinets
Do: restrict or forbid the use of modems on desktopsDo: restrict or forbid the use of modems on desktops
Do: make sure road laptops and PDAs are secureDo: make sure road laptops and PDAs are secure
Do: consider use of smart-cards rather than passwords Do: consider use of smart-cards rather than passwords for administratorsfor administrators
– 16 – CSCE 815 Sp 03
Recommended ReadingRecommended Reading
Comer, D. Comer, D. Internetworking with TCP/IP, Volume I: Internetworking with TCP/IP, Volume I: Principles, Protocols and ArchitecturePrinciples, Protocols and Architecture. Prentic Hall, . Prentic Hall, 19951995
Stevens, W. Stevens, W. TCP/IP Illustrated, Volume 1: The TCP/IP Illustrated, Volume 1: The ProtocolsProtocols. Addison-Wesley, 1994. Addison-Wesley, 1994
– 17 – CSCE 815 Sp 03
Physical Security: “Don’t”sPhysical Security: “Don’t”s
Don’t: send off-site backups to unsecured sitesDon’t: send off-site backups to unsecured sites
Don’t: give keys to vendorsDon’t: give keys to vendors
Don’t: allow adhoc access to data centerDon’t: allow adhoc access to data center
Don’t: share wire closets with printers etc.Don’t: share wire closets with printers etc.
Don’t: put servers in unsecured areasDon’t: put servers in unsecured areas
Don’t: leave server keys on back on serverDon’t: leave server keys on back on server
Don’t: let cleaning people in without escortDon’t: let cleaning people in without escort
Don’t: store sensitive data on user drives (or encrypt)Don’t: store sensitive data on user drives (or encrypt)
Don’t: discuss passwords over non-secure channelsDon’t: discuss passwords over non-secure channels
Don’t: put consoles near windowsDon’t: put consoles near windows
– 18 – CSCE 815 Sp 03
Protocol ReviewProtocol Review
IP internet protocol – routing packets through networkIP internet protocol – routing packets through network
TCP – connection oriented transportTCP – connection oriented transport
UDP – UDP –
ARP – address resolution protocolARP – address resolution protocol
ICMP – internet control message protocolICMP – internet control message protocol
Application layer – FTP, HTTP, SMTP, SNMP, SSHApplication layer – FTP, HTTP, SMTP, SNMP, SSH
– 19 – CSCE 815 Sp 03
Spoofing AttacksSpoofing Attacks
Spoofing means fraudulently authenticating one Spoofing means fraudulently authenticating one machine as anothermachine as another
P 131 “A Short Overview of IP Spoofing”P 131 “A Short Overview of IP Spoofing”
www.nmrc.org/files/unix/ip.exploit.txtwww.nmrc.org/files/unix/ip.exploit.txt
Preventing IP spoofingPreventing IP spoofing
have your routers reject packets with local have your routers reject packets with local addresses from the outsideaddresses from the outside
also have them reject internal packets claiming to also have them reject internal packets claiming to originate from the outsideoriginate from the outside
– 20 – CSCE 815 Sp 03
ARP SpoofingARP Spoofing
Address resolution Protocol (ARP)Address resolution Protocol (ARP)
IP address IP address hardware(ethernet) address mapping hardware(ethernet) address mapping
send ARP packet “who has IP address and what is send ARP packet “who has IP address and what is your hardware address?”your hardware address?”
ARP cache – table of recent responsesARP cache – table of recent responses
ARP SpoofingARP Spoofing
1.1. Assume IP address “a” of trusted hostAssume IP address “a” of trusted host
2.2. Respond to ARP packets for address “a”Respond to ARP packets for address “a”
3.3. Sending false hardware address (I.e. the fraud’s Sending false hardware address (I.e. the fraud’s address)address)
Solution: make ARP cache static (manual updates!?!)Solution: make ARP cache static (manual updates!?!)
– 21 – CSCE 815 Sp 03
DNS SpoofingDNS Spoofing
Domain Name System (DNS)Domain Name System (DNS) hierarchical name servers map FQDN IP address UDP packet sent with name to name server
– 22 – CSCE 815 Sp 03
Web SpoofingWeb Spoofing
– 23 – CSCE 815 Sp 03
Security MythSecurity Myth
““The only secure computer is the one that is turned off The only secure computer is the one that is turned off and unplugged”and unplugged”
Once connected to internet it becomes a targetOnce connected to internet it becomes a target
So shutdown all unnecessary services.So shutdown all unnecessary services.
Myth 2 “My firewall will stop the pesky crackers!”Myth 2 “My firewall will stop the pesky crackers!”
– 24 – CSCE 815 Sp 03
The Players, Platforms and AttacksThe Players, Platforms and Attacks
The Players:The Players: The Black Hats Script kiddies The White Hats
Platforms of attackersPlatforms of attackers1. Windows2. Linux/NetBSD/FreeBSD3. OpenBSD billed as “the most secure OS freely available”
AttacksAttacks Denial of Service Viruses, Trojans, malicious scripts Web defacement
– 25 – CSCE 815 Sp 03
– 26 – CSCE 815 Sp 03