security of communication networks, indp3 (ist, ires, rsm)
DESCRIPTION
Security of Communication Networks, InDP3 (IST, IRES, RSM)TRANSCRIPT
INDP3IST, IRES, RSM
Semestre I, 2011/2012
Slim REKHISSUP’Com
Security of Communication Networks
Course outline
� Content
� Security Fundamentals
� Virtual Private Networks
� Firewalls
� Access control and multi-level security
� Intrusion detection
2
Chapter1
Security Fundamentals
INDP3IST, IRES, RSM
Semestre I, 2011/2012
Slim REKHISSUP’Com
� Information systems have been penetrated by
unauthorized users and rogue programs
� Increased volume of security breaches (Computer
Emergency Response Team , CERT, reports a
tremendous increase of security incidents).
� Security attacks are of increasing severity and
sophistication.
� Distributed Denial of Service (DDOS) attacks.
Motivations
4
� Worm attacks (e.g., code red).
� Capture of network traffic (e.g., userIDs, passwords)
� Exploitation of software bugs.
� Unauthorized access to resources (modification,
and destruction of resources).
� Compromised system used as attack facility.
� Identity spoofing as authorized user or end system.
� Insider malice (deliberate insertion of malicious or
infected code, information disclosure )
Examples of security attacks
5
Attacks sophistication versus Intruder knowledge
6
7
Percentage of keytype of incidentsBy percent of responders
8
Percentage of keytype of incidentsBy percent of responders
9
� Lack of awareness of threats and risks.
� Importance to security measures is not grated until an
Enterprise has been penetrated by malicious users.
� Wide-open network policies (many Internet sites allow
wide-open Internet access).
� Vast majority of network traffic is unencrypted.
� Lack of security in TCP/IP protocol suite
� Complexity of security management and administration.
� Existence of software bugs.
� Attackers skills keep improving.
Factors contributing to intrusions
10
� Interruption: A system asset is destroyed or becomes unavailable
� Attack on availability
� E.g., destroying file system, flooding a communication link with packets.
� Interception: An unauthorized party gains access to an asset.
� Attack on confidentiality
� E.g., Unauthorized copying of data or programs, sniffing network traffic.
� Modification: An unauthorized party gains access and alters an asset.
� Attack on integrity
� e.g., modifying the expected functionality of a program, changing the contents
of a message.
� Fabrication: Unauthorized party inserts a fake object to the system.
� Attack on authenticity
� E.g., insertion of records in a log file, insertion of a fake datagram in a network
Catagories of attacks
11
Attacks on security protocols
12
� Passive attacks
� Release of message content: a message may be carrying sensitive data.
� Traffic analysis: an intruder makes inference (even if messages are encrypted) by observing message patterns: host location and identity can be revealed
� Footprinting: creating a complete profile of an organization’s security capabilities
� Active attacks
� Masquerade: an entity pretends to be some other entity.
� Replay: an entity captures a data unit and retransmit it to produce an unauthorized effect.
� Message modification : en entity modifies a portion of a legitimate message to produce an undesirable effect.
� Denial of service: Inhibits normal use of computer and communications resources.
Active vs. passive attacks
13
Caracterizing digital attacks
� Digital attacks have additional properties with regard to traditional ones
� Coordination
� Tracing difficulty
� Rapid propagation
� Self-propagation
� Remote execution
� Weakness of the legal frameworks
Attack features
� Coordination: Multiple attackers can cooperate through resource sharing, task allocation, and synchronization.
� Generated alerts are characterized by an amount of uncertainty.
� Should be taken into consideration when making decisions based on generated alerts
� Versioning: Statistics show that attack schemes seldom vary.
� Attackers often introduce several slight modifications on the attack tool in order to adapt to the existing vulnerabilities or to bypass the protection mechanisms.
15
Some definitions
� Security attack: any action that compromises the
security of information owned by an organization
or an individual.
� Security mechanism: a mechanism that
implements functions designed to prevent,
detect, or respond to a security attack.
� Security service: A service that enhances the
security of data processing systems and
information transfers.
� A security service uses one or more security
mechanisms to counter a security attack. 16
Some definitions
� Alert: A message sent by attack detection tools
(e.g., IDS) when they observe an attack.
� Threat: possible attack on the system.
� Vulnerability: a weakness that may be exploited
to cause loss or harm
� Risk: a measure of the possibility of security
breaches and severity of the obtained damages.
� Requires assessment of threats and
vulnerabilities
17
Classifying vulnerabilities
� Application-level vulnerabilities
� Operating systems
� Web applications (e.g., servers, servlets)
� Database applications
� Network protocol implementations
� Protocol vulnerabilities
� Human-related vulnerabilities
� Misconfiguration of equipments (i.e firewall, router, switch)
� Weak password protection
� Confidentiality violations
DDoS attacks in 2G Cellular Networks
� Weaknesses of DDoS attacks in 2G cellular networks are mainly
linked to authentication vulnerabilities in the used protocols.
� One of the most known DoS attacks is the false BTS attack that first
appeared with GSM networks.
� The malicious BTS sends stronger signals to users in the current cell
� Users will be detached from the network
19
DDoS attacks in 2.5G networks
� 2.5G cellular networks and beyond are offering data
services, several vulnerabilities were inherited from the
Internet.
� Protocols used for data-services such as TCP and ICMP are
vulnerable to DDoS attacks.
� Openness of the network to Internet.
� TCP SYN Flood attack represents one of the famous
DDoS attacks in 2.5G networks
� An intruder takes control of a sufficient number of mobiles by
means of viruses
� He instructs them to establish a set of successive half open TCP
connections to a server in order to exhaust its memory and fill up
connections queue. 20
DDoS attacks in 3G networks
� DDoS attacks are more significant
� Use of a huge number of PUSH services, which are initiated from Internet.
� Use of packet switching technology and vulnerability to IP-based attacks.
� Radio channels consumption
� An attacker breaks into weakly secure UE and uses them as zombies.
� Later he instructs them to generate incomplete calls at the same time
� With a significant number of attackers in each cell, the network can be broken
down for a long period of time.
� Telephonic servers’ abuse
� An attackers makes a large number of cell phones simultaneously calling a
voice server.
� The target will be unreachable during the attack.
21
Example of Web application vulnerability
IIS/PWS Extended Unicode Directory Traversal vulnerability
� Normally, IIS checks URL strings to ensure that certain constructs
do not occur.
� e.g., a requester attempts to access some parent of the “/scripts” directory
� http://www.example.com/scripts/..\../winnt/system32/cmd.exe?/c+dir
� IIS catches this and returns an HTTP 404 - File not found response.
� When the exact same request is made in the following form by
encoding some characters in unicode
� http://www.example.com/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
� The response is:
Directory of c:\inetpub\scripts
10/01/2001 03:46p <DIR> .
10/01/2001 03:46p <DIR> ..
0 File(s) 0 bytes 2 Dir(s) 2,527,547,392 bytes free
22
ICMP ping of death
� Some Windows OSs allow non-standard ICMP messages to be generated
� Maximum ICMP packet size is 65507 bytes.
� Any echo packet exceeding this size will be fragmented by the sender and the receiver will try to reconstitute the packet.
� The hacker sends an illegal echo packet with more bytes than allowed, causing the data to be fragmented.
� When the receiver tries to reconstitute the packet, it causes a buffer overflows, kernel dumps, and crashes
Example of operating system vulnerability
23
Example of protocol vulnerability
IPSpoofing
� IP packet carries no authentication of source address
� IP spoofing is possible
� IP spoofing can help malicious users to bypass IP-based authentication mechanisms
� IP spoofing occurs on other packet-switched networks also, such as Novell’s IPX
24
Security services (X.800)� Privacy/confidentiality/Secrecy :
� Requires that the information in a computer system and transmitted information
are accessible only for reading by authorized parties.
� Integrity/authenticity:
� Requires that only authorized parties are able to modify computer system assets
and transmitted information ( information should be protected from tampering.).
� Authentication:
� Requires that the origin of a message or electronic document is correctly identified.
� Any party can verify that the other party is who he or she claims to be
� Non repudiation:
� requires that neither the sender nor the receiver of message be able to
deny the transmission.
� Access Control :
� Requires that access to information resources may be controlled by or for
the target system. 25
Security requirements for transmitting information
� Authorization
� Requires that an entity be specifically and explicitly authorized by the
proper authority to access the contents of an information asset
� Availability
� Requires that a service/resource be accessible and usable upon demand by
an authorized entity.
� Accountability
� Requires that every activity undertaken by an entity be attributed or
traceable uniquely to that entity.
� Identification
� Requires that an information system possesses the characteristic of
identification when they are able to recognize individual users
26
Authentication VS. Authorization
� Authentication:
� to prove a person is really who he/she claims to be.
� Authorization:
� verify that whether a legal person has the privilege to perform
a task or a right to access certain resources after the person
has been authenticated.
� Example:
� A process “P” created by a user “U” contacts a server to delete
a file “F”. The server needs to handle the two issues:
� Is this actually the process of “U” ? (authentication)
� Is “U” allowed to delete the file ? (authorization)
27