Lesson 8: Network Securityand
Defending Against Attacks
Overview
• Basic Security Tools
• A Real-world Example
• Computer Incident Taxonomy
Firewall: Application Proxy
• Uses data from layers 3 and 4, and application layer– Filters on application-specific data, such as FTP’s put (upload) and get
(download) commands
– Provides for more granular security policy implementation
• Implements “proxies” on the firewall– Proxy represents an application
– Proxies usually exist for ubiquitous applications• HTTP, FTP, streaming media protocols, etc.
• If no proxy on firewall, security is reduced
• Can implement servers on the firewall– Eliminates traffic into network for those applications
– Consumes firewall resources
• Creates and maintains two TCP connections per TCP session– Involves firewall in ACKs, window-sizing, throttling-rate, etc.
Firewall TechnologiesStatic Packet Filtering
• Compares data from layers 4 and 3 of packets against a set of pre-defined rules to permit or deny access through the firewall– Source IP address and port
– Destination IP address and port
• Filters on permissible connections– Packets can flow on permitted path without valid
connection
Firewall: Stateful Packet Inspection
• Like static packet filtering, compares source and destination data from layers 3 and 4 against set of pre-defined rules
• Also , interprets flag data from headers to determine state– SYN and ACK flags used in connection establishment
– FIN, RST, ACK flags used in connection termination
• Records existing connections in a state table– Inspects arriving packets to determine if a connection already exists
between that client and server
– Facilitates prventions of attacks in which unauthorized packets appear to be traversing an already-established connection when in fact, no connection exists
Firewall Comparisons Performance Features
• Stateful packet inspection occurs at lower level of protocol stack
• Application proxies' extra per-packet processing time is magnified during periods of heavy short-packet traffic• Web applications generate large amounts of short packets
• Application proxies generally have more processes (consuming more system resources) than stateful packet inspection because each proxy needs separate processes
• Stateful packet inspection does not incur the added performance cost of filtering on application-level data
• Application proxies create and maintain two TCP connections; stateful packet inspection responsible for zero TCP connections• Degrades both network and failover performance
Firewall Comparisons Security Features• Application proxies filter application-level data
• Greater flexibility in security policy implementation
• Capability sparsely implemented in CITS architecture
• Application-proxy firewalls have a limited number of proxies• If no proxy exists for an application, the firewall defaults to a less
secure technology (e.g., static packet filtering)
• Many applications have no proxy
• Stateful packet inspection allows direct TCP connections between the client and server
• All enterprise FWs offer Network Address Translation (NAT)• Hides internal IP addresses from outside entities
• Hides internal network architecture from outside entities
• Expands available number of IP addresses to the enterprise
TCP Connection EstablishmentThree-way Handshake
Internet
ServerAddress: B
ClientAddress: A
Step 2:Packet 2 (response)SYN=1, ACK=1Source: BDestination: A
• Step 2- Server B creates “connection accept” packet– Sets SYN flag to 1 and ACK flag to 1– Sets source as itself and client as the destination
• Step 3- (not shown) Client responds with connection affirmation– SYN flag to 1, ACK flag to 1, data can be “piggybacked”
Step 1:Packet 1SYN=1, ACK=0Source: ADestination: B
• Step 1- Client A creates “connection request” packet– Sets SYN flag to 1 and ACK flag to 0– Sets source as itself and the server as the destination
Penetrating a Static Packet Filter Firewall
Step 2: Packet 2SYN= 1, ACK=1Source: BDestination: A
• Trusted Server B on Internet receives packet, mis-interprets it as a connection request from Server A, affirmatively responds to A
Step 3: “Hmmm… Rules say to not allow packets from untrusted sources, and also don’t allow any connection establishments from outside …. but Packet 2 is a response from a trusted server to a connection request from Server A inside the firewall-- Proceed.”
• Firewall, not knowing that a connection does not currently exist between A and B, permits packet into trusted network
InternetNIPRNet
InternetNIPRNet
HackerAddress: Z
Trusted ServerAddress: B
Static PacketFiltering Firewall
Trusted ServerAddress: A
Trusted Network
Step 1: Packet 1SYN= 1, ACK=0Source: A (forged)Destination: B
• Hacker creates an “establish TCP connection” packet, forges “source” so that it appears that packet originates from target inside trusted network, sends packet to Server B on Internet
• Packets between Servers A and B are permitted, if Server A initiates the connection
Stateful Packet Inspection FirewallHackerAddress: Z
Step 2: Packet 2SYN= 1, ACK=1Source: BDestination: A
• Trusted Server B on Internet receives packet, mis-interprets it as a connection request from Server A, affirmatively responds to A
Step 3: “Hmmm… Rules say to not allow packets from untrusted sources, and also don’t allow any connection establishments from outside …. and deny packets if a connection does not exist. There’s no current connection-- Deny.”
• Firewall, knowing that a connection does not currently exist between A and B, denies packet into trusted network
InternetNIPRNet
InternetNIPRNet
Trusted ServerAddress: B
Stateful Packet Inspection Firewall
Trusted ServerAddress: A
Trusted Network
Step 1: Packet 1SYN= 1, ACK=0Source: A (forged)Destination: B
• Hacker creates an “establish TCP connection” packet, forges “source” so that it appears that packet originates from target inside trusted network, sends packet to Server B on Internet
• Packets between Servers A & B permitted, if Server A initiates connection, and connection exists.
A DMZ
Users and Serverson Trusted Network
Web
ServerDirectoryServer
Clients, Servers,
Hackers
/
InternetFirewall
"Intranet” Firewall
Internet
IP Security (IPSEC)• A cryptographic mechanism for IP
• Current IP version: IPv4
• Optional in IPv4, supported in IPv6.
• Two major modes: – Tunnel: encrypts both the data and header
portions of the packet.– Transport: encrypts the data portion of the
packet.
• Requires both ends to be using IPSEC (obviously, since one end will encrypt, the other needs to be able to decrypt).
Virtual Private Networks• A Secure connection over a public network
• Connect disjoint pieces of the same network
• Connect mobile Users
• VPNs provide security through cryptography– IPSEC– PPTP
• VPNs are HOLES in Firewalls
Large CompanyEnterprise Overview
INTERNET
IDS
FW
WEB Services
FW
Intranet
IDS
Company Clients
Sample network and Security
Internet
InternetAttack
ALERT
A Better Picture of the network and the potential threats
User ConnectedModem
Internet
InternetAttack
ALERT
Back DoorAttack
ALERT
PSTN
And what else could possibly happen next?
User ConnectedModem
Internet
InternetAttack
ALERT
Back DoorAttack
ALERT
PSTN
Wireless
VoIP
Computer Security Incidents
Taxonomy
Need an accepted taxonomy because . . .
• Provides a common frame of reference
• If no taxonomy, then we:
• Can’t develop common reporting criteria
• Can’t develop processes and standardization
• Ultimately-no IA “Common Language”
Must have these characteristics . . .
+ =
Logically related columnsLogically related columnsLogically related columnsLogically related columns
11
22
33
44
55
11
22
33
11
22
33
44
Must be:Must be:
Mutually exclusiveMutually exclusive
UnambiguousUnambiguous
RepeatableRepeatable
AcceptedAccepted
UsefulUseful
ExhaustiveExhaustive
Where to start?
• For this reason several computer security taxonomies have already been developed
• Currently in use at Carnegie Mellon’s CERT/CC
• The inability to share data because of non- standard terminology is not a new problem
• Most comprehensive study done by Sandia Labs in conjunction with Carnegie Mellon University
• Sandia Report: “A Common Language for Computer Security Incidents”, John D. Howard and Thomas A. Longstaff (October 1998)
Sandia Labs
Network BasedTaxonomy
Network BasedTaxonomy
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Incident
Event
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Objectives
Challenge,Status, Thrills
PoliticalGain
FinancialGain
Damage
Attack
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalAttack
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Attackers
Hackers
Spies
Terrorists
CorporateRaiders
ProfessionalCriminals
Vandals
Voyeurs
Basic Model
Tool VulnerabilityUnauthorized
ResultAction Target ObjectivesAttackers ObjectivesAttackers
AttacksIncidentIntrusions
Intruders
Computer Network “Incident”
Objectives• Status/Thrills• Political Gain• Financial Gain• Damage
Intruders• Hackers• Terrorists• Other
Intrusions• Increased access• Disclosure of info• Theft of resources• Corruption of info• Denial of Service
DefendedNetwork
Computer Network Incident
Intrusion Taxonomy
Tool VulnerabilityUnauthorized
ResultAction TargetIntruders Objectives
Intrusion
Tool VulnerabilityUnauthorized
ResultAction Target
Event
Action Target
Intrusion
Jl;j;jjjl;j;lj
jl;kllkj
•Physical force•Info exchange•User command•Script/Program•Autonomous agent•Toolkit•Distributed tool•Data tap
•Physical force•Info exchange•User command•Script/Program•Autonomous agent•Toolkit•Distributed tool•Data tap
Tools
Vulnerabilities•Design•Implementation•Configuration
Vulnerabilities•Design•Implementation•Configuration
Unauthorized Results •Increased access•Disclosure•Corrupt data•Denial of Service•Theft
Unauthorized Results •Increased access•Disclosure•Corrupt data•Denial of Service•Theft
• Thrills• Political Gain• Financial Gain• Damage
• Thrills• Political Gain• Financial Gain• Damage
Events•Action•Target
Events•Action•Target
Intrusion
Jl;j;jjjl;j;lj
jl;kllkj
•Physical force•Info exchange•User command•Script/Program•Autonomous agent•Toolkit•Distributed tool•Data tap
•Physical force•Info exchange•User command•Script/Program•Autonomous agent•Toolkit•Distributed tool•Data tap
Tools Vulnerabilities•Design•Implementation•Configuration
Vulnerabilities•Design•Implementation•Configuration
• Thrills• Political Gain• Financial Gain• Damage
• Thrills• Political Gain• Financial Gain• Damage
Did haveIntent No
UnauthorizedResults
NoUnauthorized
Results
Intrusion taxonomy in practice . . .Taxonomy in practice . . .Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Sandia LabsAction
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Event
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Attack
Vulnerability
Design
Implementation
Configuration
Intrusion
Intruders Objectives
Toolkit
Design
Bypass
ProcessCorruption
of Data
Denial ofService
ComputerNetworkIntrusion
ComputerNetworkIntrusion
Intrusion taxonomy in practice . . .Taxonomy in practice . . .Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Sandia LabsAction
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Event
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Attack
Vulnerability
Design
Implementation
Configuration
Intrusion
Intruders Objectives
InsiderThreatInsiderThreat
AuthorizedUser
AuthorizedUser
IncreasedAccess
ToolKit
Design
Bypass
Process
UnauthorizedResult
AuthorizedUser
AuthorizedUser
Taxonomy applied
Sandia Labs
Network BasedTaxonomy
Network BasedTaxonomy
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Event
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Attack
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Intrusion
Intruders Objectives
Design
UserCommand
Authenticate
AccountIncreased
Access
Intrusion 1
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Intrusion 1 - Increased Acess
Intruders Objectives
Intrusion 2
UserCommand
Design
Bypass
Process
RootAccess
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Intrusion 1 - Increased Access
Intrusion 2 - Root Level Access
UserCommand
Design
Steal
Data
Disclosure ofInformation
Intruders Objectives
RootAccess
Intrusion 3
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Intrusion 1 - Increased Access
Intrusion 2 - Root Level Access
Intrusion 3 - Disclosure of Information
Intruders Objectives
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Intrusion 1 - Increased Access
Intrusion 2 - Root Level Access
Intrusion 3 - Disclosure of Information
Intruders Objectives
Script orProgram
Implementation
Modify
Process
Denial ofService
Theft ofResources
Disclosure ofInformation
New definition: “Intrusion Set”
Multiple Events
Multiple related intrusions = “Intrusion Set”
Tool VulnerabilityUnauthorized
ResultAction Target
Intruder Objective
Who? What? Why?
• answer the what
• Need more information to get to attribution
• Need to know who? • Need to know why?
Who and Why?
Intrusion Set
Intruders ObjectivesTool Vulnerability Action TargetUnauthorized
Result
Attribution
Challenge,Status, Thrills
PoliticalGain
FinancialGain
Damage
Challenge,Status, Thrill
Damage
Financialgain
Pol/MilGain
Action Target
Not every event?
Action Target
Objective reporting criteria
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Process
Data
Component
Computer
Network
Internetwork
Implementation
Configuration
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Spies
Terrorists
CorporateRaiders
ProfessionalCriminals
Vandals
Voyeurs
ObjectivesVulnerabilityToolAttackersIntruders
Probe Account
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
UnauthorizedResult
IncreasedAccessDesign
PhysicalForce
HackersHackers
Spies
Terrorists
CorporateRaiders
ProfessionalCriminals
Vandals
Voyeurs
Group 1
Group 2
Group 3
Group 4
UnauthorizedResult
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
IncreasedAccess
Action TargetUnauthorized
ResultAction TargetVulnerabilityTool
Includingintrusion
data
Intrusion(s)
Must report
all
unauthorized
results
(Actual or
attempted)
New Work
• CERT- CC: AirCERT– Effort to collect nationwide incident data
• US Military: Joint Task Force-CNO
• FBI: Cyber Forensic Centers
• Infraguard
SUMMARY
• Technology Improvements Arriving
• Common Taxonomy Developed
• Increased Data Sharing Ongoing
• Prosecutions Increasing