dr. bhavani thuraisingham cyber security lecture for july 16, 2010 network security
TRANSCRIPT
Dr. Bhavani Thuraisingham
Cyber Security
Lecture for July 16, 2010
Network Security
13-204/19/23 09:51
Outline
0 Introduction to Network Security0 Types of Secure Network Systems0 Secure Network Protocols
13-304/19/23 09:51
What is Network Security
0 Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access, and consistent and continuous monitoring and measurement of its effectiveness
0 The terms network security and information security are often used interchangeably. Network security is generally taken as providing protection at the boundaries of an organization by keeping out intruders (hackers).
0 Information security, however, explicitly focuses on protecting data resources from malware attack or simple mistakes by people within an organization by use of data loss prevention (DLP) techniques.
13-404/19/23 09:51
What is Network Security
0 Network security starts from authenticating the user, commonly with a username and a password.
0 Once authenticated, a firewall enforces access policies such as what services are allowed to be accessed by the network users.[
0 Though effective to prevent unauthorized access, this component may fail to check potentially harmful content such as computer worms or Trojans being transmitted over the network.
0 Anti-virus software or an intrusion prevention system (IPS) help detect and inhibit the action of such malware. An anomaly-based intrusion detection system may also monitor the network and traffic for unexpected (i.e. suspicious) content or behavior and other anomalies to protect resources, e.g. from denial of service attacks or an employee accessing files at strange times. Individual events occurring on the network may be logged for audit purposes and for later high level analysis.
13-504/19/23 09:51
What is Network Security
0 Communication between two hosts using a network could be encrypted to maintain privacy.
0 Honeypots essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis could be used to further tighten security of the actual network being protected by the honeypot.
0 A Botnet is a collection of software agents, or robots, that run autonomously and automatically. The term is most commonly associated with malicious software, but it can also refer to a network of computers using distributed computing software.
13-604/19/23 09:51
Network Forensic
0 Network forensics is essentially about monitoring network traffic and determining if there is an attack and if so, determine the nature of the attack
0 Key tasks include traffic capture, analysis and visualization0 Many tools are now available0 Works together with IDs, Firewalls and Honeynets0 Expert systems solutions show promise
13-704/19/23 09:51
What is Network Forensics?
0 Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.
0 Network forensics systems can be one of two kinds:- "Catch-it-as-you-can" systems, in which all packets
passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system.
- "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.
13-804/19/23 09:51
Network Forensics Analysis Tools (NFAT): Relationships between IDS, Firewalls and NFAT
0 IDS attempts to detect activity that violates an organization’s security policy by implementing a set of rules describing preconfigures patterns of interest
0 Firewall allows or disallows traffic to or from specific networks, machine addresses and port numbers
0 NFAT synergizes with IDSs and Firewalls.- Preserves long term record of network traffic- Allows quick analysis of trouble spots identified by IDSs
and Firewalls0 NFATs must do the following:
- Capture network traffic- Analyze network traffic according to user needs- Allow system users discover useful and interesting things
about the analyzed traffic
13-904/19/23 09:51
NFAT Tasks
0 Traffic Capture- What is the policy?- What is the traffic of interest?- Intermal/Externasl?- Collect packets: tcpdump
0 Traffic Analysis- Sessionizing captured traffic (organize)- Protocol Parsing and analysis
=Check for strings, use expert systems for analysis0 Interacting with NFAT
- Appropriate user interfaces, reports, examine large quantities of information and make it manageable
13-1004/19/23 09:51
Honeynets/Honeypots
0 Network Forensics and honeynet systems have the same features of collecting information about computer misuses
0 Honeynet system can lure attackers and gain information about new types of intrusions
0 Network forensics systems analyze and reconstruct he attack behaviors
0 These two systems integrated together build a active self learning and response system to profile the intrusion behavior features and investigate the original source of the attack.
13-1104/19/23 09:51
Policies: Computer Attack Taxonomy
0 Probing- Attackers reconnaissance- Attackers create a profile of an organization's structure,
network capabilities and content, security posture- Attacker finds the targets and devices plans to
circumvent the security mechanism0 Penetration
- Exploit System Configuration errors and vulnerabilities- Install Trojans, record passwords, delete files, etc.
0 Cover tracks- Configure event logging to a previous state- Clear event logs and hide files
13-1204/19/23 09:51
Policies to enhance forensics
0 Retaining information0 Planning the response0 Training0 Accelerating the investigation0 Preventing anonymous activities0 Protect the evidence
13-1304/19/23 09:51
Example Prototype System: Iowa State University
0 Network Forensics Analysis mechanisms should meet the following:
- Short response times; User friendly interfaces0 Questions addresses
- How likely is a specific host relevant to the attack? What is the role the host played in the attack? How strong are two hosts connected to the attack?
0 Features of the prototype- Preprocessing mechanism to reduce redundancy in
intrusion alerts- Graph model for presenting and interacting with th3
evidence- Hierarchical reasoning framework for automated
inference of attack group identification
13-1404/19/23 09:51
Example Prototype System: Modules
0 Evidence collection module0 Evidence preprocessing module0 Attack knowledge base0 Assets knowledge base0 Evidence graph generation module0 Attack reasoning module0 Analyst interface module
13-1504/19/23 09:51
Some Popular Tools
0 Raytheon’s SilentRunner- Gives administrators help as they attempt to protect their
company’s assets- Collector, Analyzer and Visualize Modules
0 Sandstorm Enterprise’s NetIntercept- Hardware appliance focused on capturing network traffic
0 Niksun’s NetDetector- Its an appliance like NetIntercept- Has an alerting mechanism - Integrates with Cicso IDS for a complete forensic analysis
13-1604/19/23 09:51
Types of Secure Network Systems0 Internet Security Systems0 Intrusion Detection Systems0 Firewall Security Systems0 Storage Area Network Security Systems0 Network disaster recovery systems0 Public key infrastructure systems0 Wireless network security systems0 Satellite encryption security systems0 Instant Messaging Security Systems0 Net privacy systems0 Identity management security systems0 Identify theft prevention systems0 Biometric security systems0 Homeland security systems
13-1704/19/23 09:51
Internet Security Systems
0 Security hierarchy- Public, Private and Mission Critical data- Unclassified, Confidential, Secret and TopSecret data
0 Security Policy- Who gets access to what data- Bell LaPadula Security Policy, Noninterference Policy
0 Access Control- Role-based access control, Usage control
0 Encryption- Public/private keys- Secret payment systems
0 Directions- Smart cards
13-1804/19/23 09:51
Intrusion Detection Systems
0 An intrusion can be defined as “any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource”.
0 Attacks are:
- Host-based attacks
- Network-based attacks
0 Intrusion detection systems are split into two groups:
- Anomaly detection systems
- Misuse detection systems
0 Use audit logs
- Capture all activities in network and hosts.
- But the amount of data is huge!
13-1904/19/23 09:51
Worm Detection: Introduction
0 What are worms?
- Self-replicating program; Exploits software vulnerability on a victim; Remotely infects other victims
0 Evil worms
- Severe effect; Code Red epidemic cost $2.6 Billion
0 Automatic signature generation possible
- EarlyBird System (S. Singh. -UCSD); Autograph (H. Ah-Kim. - CMU)
0 Goals of worm detection
- Real-time detection
0 Issues
- Substantial Volume of Identical Traffic, Random Probing
0 Methods for worm detection
- Count number of sources/destinations; Count number of failed connection attempts
0 Worm Types
- Email worms, Instant Messaging worms, Internet worms, IRC worms, File-sharing Networks worms
13-2004/19/23 09:51
Email Worm Detection using Data Mining
Training data
Feature extraction
Clean or Infected ?
Outgoing Emails
ClassifierMachine Learning
Test data
The Model
Task: given some training instances of both “normal” and “viral” emails, induce a hypothesis to detect “viral” emails.
We used:Naïve BayesSVM
13-2104/19/23 09:51
Firewall Security Systems
0 Firewall is a system or groups of systems that enforces an access control policy between two networks
0 Benefits- Implements access control across networks- Maintains logs that can be analyzed
=Data mining for analyzing firewall logs and ensuring policy consistency
0 Limitatations- No security within the network- Difficult to implement content based policies- Difficult to protect against malicious code
=Data driven attacks
13-2204/19/23 09:51
Traffic Mining
0 To bridge the gap between what is written in the firewall policy rules and what is being observed in the network is to analyze traffic and log of the packets– traffic mining
=Network traffic trend may show that some rules are out-dated or not used recently
FirewallFirewallLog FileLog File
Mining Log File Mining Log File Using FrequencyUsing Frequency
FilteringFilteringRule Rule
GeneralizationGeneralization
Generic RulesGeneric Rules
Identify Decaying Identify Decaying &&
Dominant RulesDominant Rules
EditEditFirewall RulesFirewall Rules
FirewallPolicy Rule
13-2304/19/23 09:51
Storage Area Network Security Systems
0 High performance networks that connects all the storage systems
- After as disaster such as terrorism or natural disaster (9/11 or Katrina), the data has to be availability
- Database systems is a special kind of storage system0 Benefits include centralized management, scalability
reliability, performance0 Security attacks on multiple storage devices
- Secure storage is being investigated
13-2404/19/23 09:51
Network Disaster Recovery Systems
0 Network disaster recovery is the ability to respond to an interruption in network services by implementing a disaster recovery palm
0 Policies and procedures have to be defined and subsequently enforced
0 Which machines to shut down, determine which backup servers to use, When should law enforcement be notified
13-2504/19/23 09:51
Public Key Infrastructure Systems
0 A certificate authority that issues and verifies digital certificates
0 A registration authority that acts as a verifier for the certificate authority before a digital certificate is issued to a requester
0 One or more directories where the certificates with their public keys are held
0 A certificate management systems
13-2604/19/23 09:51
Digital Identity Management
0 Digital identity is the identity that a user has to access an electronic resource
0 A person could have multiple identities - A physician could have an identity to access medical
resources and another to access his bank accounts0 Digital identity management is about managing the multiple
identities- Manage databases that store and retrieve identities- Resolve conflicts and heterogeneity- Make associations- Provide security
0 Ontology management for identity management is an emerging research area
13-2704/19/23 09:51
Digital Identity Management - II
0 Federated Identity Management- Corporations work with each other across organizational
boundaries with the concept of federated identity- Each corporation has its own identity and may belong to
multiple federations- Individual identity management within an organization
and federated identity management across organizations0 Technologies for identity management
- Database management, data mining, ontology management, federated computing
13-2804/19/23 09:51
Identity Theft Management
0 Need for secure identity management- Ease the burden of managing numerous identities- Prevent misuse of identity: preventing identity theft
0 Identity theft is stealing another person’s digital identity0 Techniques for preventing identity thefts include
- Access control, Encryption, Digital Signatures- A merchant encrypts the data and signs with the public
key of the recipient- Recipient decrypts with his private key
13-2904/19/23 09:51
Biometrics
0 Early Identication and Authentication (I&A) systems, were based on passwords
0 Recently physical characteristics of a person are being used for identification
- Fingerprinting- Facial features- Iris scans- Voice recognition- Facial expressions
0 Biometrics techniques will provide access not only to computers but also to building and homes
0 Systems are vulnerable to attack e.g., Fake biometrics
13-3004/19/23 09:51
Homeland Security Systems
0 Border and Transportation Security- RFID technologies?
0 Emergency preparedness- After an attack happens what actions are to be taken?
0 Chemical, Biological, Radiological and Nuclear security- Sensor technologies
0 Information analysis and Infrastructure protection- Data mining, security technologies
13-3104/19/23 09:51
Other Types of Systems
0 Wireless security systems- Protecting PDAs and phones against denial of service
and related attacks0 Satellite encryption systems
- Pretty Good Privacy – PGP that uses RSA security0 Instant messaging
- Deployment of instant messaging is usually not controlled
- Should IM be blocked?0 Net Privacy
- Can we ensure privacy on the networks and systems- Privacy preserving access?
13-3204/19/23 09:51
OSI Model
0 The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization.
0 It is a way of sub-dividing a communications system into smaller parts called layers. A layer is a collection of conceptually similar functions that provide services to the layer above it and receives services from the layer below it.
0 On each layer an instance provides services to the instances at the layer above and requests service from the layer below.
13-3304/19/23 09:51
OSI Model0 The Physical Layer defines the electrical and physical specifications for
devices. In particular, it defines the relationship between a device and a physical medium.
0 This includes the layout of pins, voltages, cable specifications, hubs, repeaters, network adapters, host bus adapters (HBAs used in storage area networks) and more.
0 The Data Link Layer provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical Layer.
0 The Network Layer provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks, while maintaining the quality of service requested by the Transport Layer. The Network Layer performs network routing functions, and might also perform fragmentation and reassembly, and report delivery errors. Routers operate at this layer—sending data throughout the extended network and making the Internet possible.
13-3404/19/23 09:51
OSI Model0 The Transport Layer provides transparent transfer of data
between end users, providing reliable data transfer services to the upper layers. The Transport Layer controls the reliability of a given link through flow control, segmentation/desegmentation, and error control.
0 Some protocols are state and connection oriented. This means that the Transport Layer can keep track of the segments and retransmit those that fail.
0 Although not developed under the OSI Reference Model and not strictly conforming to the OSI definition of the Transport Layer, typical examples of Layer 4 are the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
13-3504/19/23 09:51
OSI Model0 The Session Layer controls the dialogues (connections)
between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes checkpointing, adjournment, termination, and restart procedures.
0 Presentation layer provides independence from differences in data representation (e.g., encryption) by translating from application to network format, and vice versa.
0 The presentation layer works to transform data into the form that the application layer can accept. This layer formats and encrypts data to be sent across a network, providing freedom from compatibility problems. It is sometimes called the syntax layer.
13-3604/19/23 09:51
Application Layer
0 APPC, Advanced Program-to-Program Communication0 DNS, Domain Name System (Service) Protocol0 FTAM, File Transfer Access and Management0 FTP, File Transfer Protocol0 Gopher, Gopher protocol0 HL7, Health Level Seven0 HTTP, Hypertext Transfer Protocol0 IMAP, IMAP4, Internet Message Access Protocol0 IRCP, Internet Relay Chat Protocol0 LDAP, Lightweight Directory Access Protocol0 LPD, Line Printer Daemon Protocol0 MIME (S-MIME), Multipurpose Internet Mail Extensions and
Secure MIME
13-3704/19/23 09:51
Application Layer
0 NFS, Network File System0 NIS, Network Information Service0 NTP, Network Time Protocol0 POP, POP3, Post Office Protocol (version 3)0 SIP, Session Initiation Protocol0 SMTP, Simple Mail Transfer Protocol0 SNMP, Simple Network Management Protocol0 SSH, Secure Shell0 TELNET, Terminal Emulation Protocol of TCP/IP0 VTP, Virtual Terminal Protocol0 X.400, Message Handling Service Protocol0 X.500, Directory Access Protocol (DAP)
13-3804/19/23 09:51
Network Protocols Technologies
0 Token Bus0 Token Ring0 X.250 Routing protocols0 IEEE 802 Standards
13-3904/19/23 09:51
TCP/IP
0 In the TCP/IP model of the Internet, protocols are not as rigidly designed into strict layers as the OSI model.[
0 TCP/IP does recognize four broad layers of functionality which are derived from the operating scope of their contained protocols, namely the scope of the software application, the end-to-end transport connection, the internetworking range, and lastly the scope of the direct links to other nodes on the local network.
0 The Internet Application Layer includes the OSI Application Layer, Presentation Layer, and most of the Session Layer. Its end-to-end Transport Layer includes the graceful close function of the OSI Session Layer as well as the OSI Transport Layer. The internetworking layer is a subset of the OSI Network Layer (see above), while the Link Layer includes the OSI Data Link and Physical Layers, as well as parts of OSI's Network Layer.
13-4004/19/23 09:51
IPV4
0 Internet Protocol version 4 (IPv4) is the fourth revision in the development of the Internet Protocol (IP) and it is the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet. IPv4 is still by far the most widely deployed Internet Layer protocol.
0 IPv4 is a connectionless protocol for use on packet-switched Link Layer networks (e.g., Ethernet). It operates on a best effort delivery model, in that it does not guarantee delivery, nor does it assure proper sequencing, or avoid duplicate delivery. These aspects, including data integrity, are addressed by an upper layer transport protocol (e.g., Transmission Control Protocol).
13-4104/19/23 09:51
IPSEC0 Internet Protocol Security (IPsec) is a protocol suite for securing
Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host
0 IPsec is a dual mode, end-to-end, security scheme operating at the Internet Layer of the Internet Protocol Suite or OSI model Layer 3. Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of these models. Hence, IPsec can be used for protecting any application traffic across the Internet.
13-4204/19/23 09:51
TLS/SSL
0 Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Application Layer to ensure secure end-to-end transit at the Transport Layer.
0 Several versions of the protocols are in widespread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).
0 The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. TLS provides RSA security.
13-4304/19/23 09:51
TLS/SSL
0 In typical end-user/browser usage, TLS authentication is unilateral: only the server is authenticated (the client knows the server's identity), but not vice versa (the client remains unauthenticated or anonymous).
0 TLS also supports the more secure bilateral connection mode (typically used in enterprise applications), in which both ends of the "conversation" can be assured with whom they are communicating (provided they diligently scrutinize the identity information in the other party's certificate). This is known as mutual authentication, or 2SSL. Mutual authentication requires that the TLS client-side also hold a certificate (which is not usually the case in the end-user/browser scenario).
13-4404/19/23 09:51
DMZ
0 DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet.
0 The term is normally referred to as a DMZ by IT professionals. It is sometimes referred to as a Perimeter Network.
0 The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.
13-4504/19/23 09:51
DMZ
0 In a network, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as e-mail, web and DNS servers.
0 Because of the increased potential of these hosts being compromised, they are placed into their own sub-network in order to protect the rest of the network if an intruder were to succeed. Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though communication with other hosts in the DMZ and to the external network is allowed.
0 This allows hosts in the DMZ to provide services to both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients.
13-4604/19/23 09:51
WAP
0 Wireless Application Protocol (WAP) is an open international standard[for application-layer network communications in a wireless-communication environment. Most use of WAP involves accessing the mobile web from a mobile phone or from a PDA.
0 A WAP browser provides all of the basic services of a computer-based web browser but simplified to operate within the restrictions of a mobile phone, such as its smaller view screen. Users can connect to WAP sites: websites written in, or dynamically converted to, WML (Wireless Markup Language) and accessed via the WAP browser.
13-4704/19/23 09:51
WAP
13-4804/19/23 09:51
Instant Messaging
0 Instant messaging (IM) is a form of real-time direct text-based communication between two or more people using personal computers or other devices, along with shared software clients. The user's text is conveyed over a network, such as the Internet. More advanced instant messaging software clients also allow enhanced modes of communication, such as live voice or video calling.
0 IM falls under the umbrella term online chat, as it is a real-time text-based networked communication system, but is distinct in that it is based on clients that facilitate connections between specified known users ("Contact List"), whereas online 'chat' also includes web-based applications that allow communication between (often anonymous) users in a multi-user environment
13-4904/19/23 09:51
VPN
0 A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. It aims to avoid an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same, secure capabilities, but at a much lower cost.
0 It encapsulates data transfers between two or more networked devices not on the same private network so as to keep the transferred data private from other devices on one or more intervening local or wide area networks. There are many different classifications, implementations, and uses for VPNs.
13-5004/19/23 09:51
Next Steps0 Cloud computing security (sometimes referred to simply as
"cloud security") is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.
0 Secuity issues fall into two broad categories: Security issues faced by cloud providers (organizations providing Software-, Platform-, or Infrastructure-as-a-Service via the cloud) and security issues faced by their customers. In most cases, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information.