Threats in Network: Anonymity Many Points of Attack Sharing Complexity of System
Threats in Network: Anonymity Many Points of Attack Sharing Complexity of System
Threats in Network: Anonymity Many Points of Attack Sharing Complexity of System
THREATS IN NETWORK
Main aims of threats are to compromise confidentiality, integrity applied against data,
software, and hardware by nature, accidents, non-malicious humans and malicious attackers.
1. Anonymity
2. Many Points Of Attack
3. Sharing
4. Complexity Of System
Threat Precursors:
1. Port scan
2. Social Engineering
3. Reconnaissance
4. Operating System and Application fingerprinting
5. Bulletin Boards and chats
6. Availability of Documentation
The more hostile term is wiretap, which means intercepting communication through some
effort.
1. Cable
2. Microwave
3. Satellite Communication
4. Optical Fiber
5. Wireless
From, a security stand point we should assume all communication links between network
nodes that can broken. For this reason commercial network users employ encryption to
protect the confidentiality of their communication.
1
Protocol Flaws:
Each protocol is identified by its Request For Comment (RFC) number. In TCP, the sequence
number of the client increments regularly which can be easily guessed and also which will be
the next number.
Impersonation:
In many instances, there is an easier way than wiretapping for obtaining information on a
network: impersonate another person or process.
Spoofing:
Obtaining the network authentication credentials of an entity (a user, an account, a process, a
node, a device) permits an attacker to create a full communication under the entity’s identity.
Examples of spoofing are masquerading, session hijacking, and man-in-the-middle attacks.
In a masquerade one host pretends to be another.
Session hijacking is intercepting and carrying on a session begun by another entity.
Man-in-the-middle attack is a similar form of attack, in which one entity intrudes between
two others.
2
Web Site Defacement:
One of the most widely known attacks is the web site defacement attack. Because of the large
number of sites that have been defaced and the visibility of the result, the attacks are often
reported in the popular press. A defacement is common not only because of its visibility but
also because of the ease with which one can be done.
The website vulnerabilities enable attacks known as buffer overflows, dot-
dot problems, application code errors, and server side include problems.
Denial of Service:
Availability attacks, sometimes called denial-of-service or DOS attacks, are much more
significant in networks than in other contexts. There are many accidental and malicious
threats to availability or continued service. There are many accidental and malicious threats
to availability or continued service.
1) Transmission Failure
2) Connection Flooding
3) Echo-Chargen
4) Ping of Death
5) Smurf
6) Syn Flood
7) Teardrop
8) Traffic Redirection
9) DNS Attacks
Active code or mobile code is a general name for code that is pushed to the client for
execution. Why should the web server waste its precious cycles and bandwidth doing simple
work that the client's workstation can do? For example, suppose you want your web site to
have bears dancing across the top of the page. To download the dancing bears, you could
download a new image for each movement the bears take: one bit forward, two bits forward,
and so forth. However, this approach uses far too much server time and bandwidth to
compute the positions and download new images. A more efficient use of (server) resources
is to download a program that runs on the client's machine and implements the movement of
the bears.
3
Security Threat Analysis:
The three steps of a security threat analysis in other situations are described here. First, we
scrutinize all the parts of a system so that we know what each part does and how it interacts
with other parts. Next, we consider possible damage to confidentiality, integrity, and
availability. Finally, we hypothesize the kinds of attacks that could cause this damage. We
can take the same steps with a network. We begin by looking at the individual parts of a
network:
As with so many of the areas we have studied, planning can be the strongest control. In
particular, when we build or modify computer-based systems, we can give some thought to
their overall architecture and plan to "build in" security as one of the key constructs.
Similarly, the architecture or design of a network can have a significant effect on its security.
The main areas to cover are
Segmentation
Redundancy
Single point of failure
Mobile agents
Encryption:
Encryption is powerful for providing privacy, authenticity, integrity, and limited access to
data. Because networks often involve even greater risks, they often secure data with
encryption, perhaps in combination with other controls. There are 2 types of encryption
scheme exists:
Link encryption (data are encrypted just before the system places them on the
physical communications link)
End-to-end encryption (provides security from one end of a transmission to the other)
Content Integrity:
Content integrity comes as a bonus with cryptography. No one can change encrypted data in a
meaningful way without breaking the encryption. This does not say, however, that encrypted
data cannot be modified. Changing even one bit of an encrypted data stream affects the result
after decryption, often in a way that seriously alters the resulting plaintext. We need to
consider three potential threats:
4
Malicious modification that changes content in a meaningful way
Malicious or non-malicious modification that changes content in a way that is not
necessarily meaningful
non-malicious modification that changes content in a way that will not be detected
Encryption addresses the first of these threats very effectively. To address the others, we can
use other controls.
Strong Authentication:
In the network case, however, authentication may be more difficult to achieve securely
because of the possibility of eavesdropping and wiretapping, which are less common in non-
networked environments. Also, both ends of a communication may need to be authenticated
to each other.
Here the main issues are
One time password
Challenge response systems
Digital distributed authentication
Access Controls:
Authentication deals with the who of security policy enforcement; access controls enforce the
what and how.
ACLs on Routers
Routers perform the major task of directing network traffic either to sub-networks they
control or to other routers for subsequent delivery to other sub-networks. Routers convert
external IP addresses into internal MAC addresses of hosts on a local sub-network. Suppose a
host is being spammed (flooded) with packets from a malicious rogue host. Routers can be
configured with access control lists to deny access to particular hosts from particular hosts.
So, a router could delete all packets with a source address of the rogue host and a destination
address of the target host.
The logical view of network protection looks like the figure below, in which both a router
and a firewall provide layers of protection for the internal network. Now let us add one more
layer to this defense.
5
A honey pot has no special features. It is just a computer system or a network segment,
loaded with servers and devices and data. It may be protected with a firewall, although you
want the attackers to have some access. There may be some monitoring capability, done
carefully so that the monitoring is not evident to the attacker.
To watch what attackers do, in order to learn about new attacks (so that you can strengthen
your defenses against these new attacks)
To lure an attacker to a place in which you may be able to learn enough to identify and
stop the attacker
To provide an attractive but diversionary playground, hoping that the attacker will leave
your real system alone
Firewalls
Firewalls were officially invented in the early 1990s, but the concept really reflects the
reference monitor from two decades earlier.
What is a Firewall?
A firewall is a device that filters all traffic between a protected or "inside" network and a less
trustworthy or "outside" network. Usually a firewall runs on a dedicated device; because it is
a single point through which traffic is channeled, performance is important, which means
non-firewall functions should not be done on the same machine. Because a firewall is
executable code, an attacker could compromise that code and execute from the firewall's
device. Thus, the fewer pieces of code on the device, the fewer tools the attacker would have
by compromising the firewall. Firewall code usually runs on a proprietary or carefully
minimized operating system. The purpose of a firewall is to keep "bad" things outside a
protected environment. To accomplish that, firewalls implement a security policy that is
specifically designed to address what bad things might happen. For example, the policy might
be to prevent any access from outside (while still allowing traffic to pass from the inside to
the outside). Alternatively, the policy might permit accesses only from certain places, from
certain users, or for certain activities. Part of the challenge of protecting a network with a
firewall is determining which security policy meets the needs of the installation.
Design of Firewalls:
Always invoked
Tamperproof
Small and simple enough for rigorous analysis
6
expected to meet the "tamperproof" requirement. And firewall designers strongly recommend
keeping the functionality of the firewall simple.
Types of Firewalls:
Application proxie
Guards
Personal firewalls
A packet filtering gateway or screening router is the simplest, and in some situations, the
most effective type of firewall. A packet filtering gateway controls access to packets on the
basis of packet address (source or destination) or specific transport protocol type (such as
HTTP web traffic). As described earlier in this chapter, putting ACLs on routers may
severely impede their performance. But a separate firewall behind (on the local side) of the
router can screen traffic before it gets to the protected network. Figure 7-34 shows a packet
filter that blocks access from (or to) addresses in one network; the filter allows HTTP traffic
but blocks traffic using the Telnet protocol.
Filtering firewalls work on packets one at a time, accepting or rejecting each packet and
moving on to the next. They have no concept of "state" or "context" from one packet to the
next. A stateful inspection firewall maintains state information from one packet to another in
the input stream.
One classic approach used by attackers is to break an attack into multiple packets by
forcing some packets to have very short lengths so that a firewall cannot detect the signature
of an attack split across two or more packets. (Remember that with the TCP protocols,
packets can arrive in any order, and the protocol suite is responsible for reassembling the
packet stream in proper order before passing it along to the application.) A stateful inspection
firewall would track the sequence of packets and conditions from one packet to another to
thwart such an attack.
Application Proxy
Packet filters look only at the headers of packets, not at the data inside the packets. Therefore,
a packet filter would pass anything to port 25, assuming its screening rules allow inbound
7
connections to that port. But applications are complex and sometimes contain errors. Worse,
applications (such as the e-mail delivery agent) often act on behalf of all users, so they
require privileges of all users (for example, to store incoming mail messages so that inside
users can read them). A flawed application, running with all users' privileges, can cause much
damage. An application proxy gateway, also called a bastion host, is a firewall that simulates
the (proper) effects of an application so that the application receives only requests to act
properly. A proxy gateway is a two-headed device: It looks to the inside as if it is the outside
(destination) connection, while to the outside it responds just as the insider would.
An application proxy runs pseudo-applications. For instance, when electronic
mail is transferred to a location, a sending process at one site and a receiving process at the
destination communicate by a protocol that establishes the legitimacy of a mail transfer and
then actually transfers the mail message. The protocol between sender and destination is
carefully defined. A proxy gateway essentially intrudes in the middle of this protocol
exchange, seeming like a destination in communication with the sender that is outside the
firewall, and seeming like the sender in communication with the real destination on the
inside. The proxy in the middle has the opportunity to screen the mail transfer, ensuring that
only acceptable e-mail protocol commands are sent to the destination.
Guard:
A guard is a sophisticated firewall. Like a proxy firewall, it receives protocol data units,
interprets them, and passes through the same or different protocol data units that achieve
either the same result or a modified result. The guard decides what services to perform on the
user's behalf in accordance with its available knowledge, such as whatever it can reliably
know of the (outside) user's identity, previous interactions, and so forth. The degree of
control a guard can provide is limited only by what is computable. But guards and proxy
firewalls are similar enough that the distinction between them is sometimes fuzzy. That is, we
can add functionality to a proxy firewall until it starts to look a lot like a guard.
Personal Firewalls:
8
Packet Filtering Sateful Application Guard Personal
Inspection Proxy firewall
Simple More complex Even complex Most complex Similar to
packet filtering
Sees only Can see either Sees full data Sees full text of Can see full data
addresses and addresses or data portion of communication portion of
service protocol packet packet
type
Auditing Auditing Can audit Can audit Can and usually
difficult possible activity activity does audit
activity
Screens based Screens based Screens based Screens based on Typically,
on connection on on behavior of interpretation of screens based
rules information proxies message on information
across packetsin contents in
either header or a single packet,
data field using header or
data
Complex Usually Simple proxies Complex guard Usually starts in
addressing rules preconfigured to can substitute functionality can "deny all
can make detect certain for complex limit assurance inbound" mode,
configuration attack signatures addressing to which user
tricky rules adds trusted
addresses as
they appear
Types of IDSs
The two general types of intrusion detection systems are signature based and heuristic.
Signature-based intrusion detection systems perform simple pattern-matching and report
situations that match a pattern corresponding to a known attack type. Heuristic intrusion
detection systems, also known as anomaly based, build a model of acceptable behavior and
flag exceptions to that model; for the future, the administrator can mark a flagged behavior as
acceptable so that the heuristic IDS will now treat that previously unclassified behavior as
acceptable.
9
Intrusion detection devices can be network based or host based. A network-based
IDS is a stand-alone device attached to the network to monitor traffic throughout that
network; a host-based IDS runs on a single workstation or client or host, to protect that one
host.
A simple signature for a known attack type might describe a series of TCP SYN packets sent
to many different ports in succession and at times close to one another, as would be the case
for a port scan. An intrusion detection system would probably find nothing unusual in the
first SYN, say, to port 80, and then another (from the same source address) to port 25. But as
more and more ports receive SYN packets, especially ports that are not open, this pattern
reflects a possible port scan. Similarly, some implementations of the protocol stack fail if
they receive an ICMP packet with a data length of 65535 bytes, so such a packet would be a
pattern for which to watch.
Because signatures are limited to specific, known attack patterns, another form of intrusion
detection becomes useful. Instead of looking for matches, heuristic intrusion detection looks
for behavior that is out of the ordinary. The original work in this area focused on the
individual, trying to find characteristics of that person that might be helpful in understanding
normal and abnormal behavior. For example, one user might always start the day by reading
e-mail, write many documents using a word processor, and occasionally back up files. These
actions would be normal. This user does not seem to use many administrator utilities. If that
person tried to access sensitive system management utilities, this new behavior might be a
clue that someone else was acting under the user's identity.
Inference engines work in two ways. Some, called state-based intrusion detection
systems, see the system going through changes of overall state or configuration. They try to
detect when the system has veered into unsafe modes. Others try to map current activity onto
a model of unacceptable activity and raise an alarm when the activity resembles the model.
These are called model-based intrusion detection systems. This approach has been extended
to networks in [MUK94]. Later work sought to build a dynamic model of behavior, to
accommodate variation and evolution in a person's actions over time. The technique
compares real activity with a known representation of normality.
Alternatively, intrusion detection can work from a model of known bad activity.
For example, except for a few utilities (login, change password, create user), any other
attempt to access a password file is suspect. This form of intrusion detection is known as
misuse intrusion detection. In this work, the real activity is compared against a known
suspicious area.
Stealth Mode:
An IDS is a network device (or, in the case of a host-based IDS, a program running on a
network device). Any network device is potentially vulnerable to network attacks. How
useful would an IDS be if it itself were deluged with a denial-of-service attack? If an attacker
succeeded in logging in to a system within the protected network, wouldn't trying to disable
the IDS be the next step?
To counter those problems, most IDSs run in stealth mode, whereby an IDS has two
network interfaces: one for the network (or network segment) being monitored and the other
10
to generate alerts and perhaps other administrative needs. The IDS uses the monitored
interface as input only; it never sends packets out through that interface. Often, the interface
is configured so that the device has no published address through the monitored interface;
that is, a router cannot route anything to that address directly, because the router does not
know such a device exists. It is the perfect passive wiretap. If the IDS needs to generate an
alert, it uses only the alarm interface on a completely separate control network.
1. Responding to alarms:
Whatever the type, an intrusion detection system raises an alarm when it finds a
match. The alarm can range from something modest, such as writing a note in an audit log, to
something significant, such as paging the system security administrator. Particular
implementations allow the user to determine what action the system should take on what
events.
In general, responses fall into three major categories (any or all of which can be used in a
single response):
Monitor, collect data, perhaps increase amount of data collected
Protect, act to reduce exposure
Call a human
2. False Results:
Intrusion detection systems are not perfect, and mistakes are their biggest problem. Although
an IDS might detect an intruder correctly most of the time, it may stumble in two different
ways: by raising an alarm for something that is not really an attack (called a false positive, or
type I error in the statistical community) or not raising an alarm for a real attack (a false
negative, or type II error). Too many false positives means the administrator will be less
confident of the IDS's warnings, perhaps leading to a real alarm's being ignored. But false
negatives mean that real attacks are passing the IDS without action. We say that the degree of
false positives and false negatives represents the sensitivity of the system. Most IDS
implementations allow the administrator to tune the system's sensitivity, to strike an
acceptable balance between false positives and negatives.
On the upside, IDSs detect an ever-growing number of serious problems. And as we learn
more about problems, we can add their signatures to the IDS model. Thus, over time, IDSs
continue to improve. At the same time, they are becoming cheaper and easier to administer.
On the downside, avoiding an IDS is a first priority for successful attackers. An IDS that is
not well defended is useless. Fortunately, stealth mode IDSs are difficult even to find on an
internal network, let alone to compromise. IDSs look for known weaknesses, whether
through patterns of known attacks or models of normal behavior. Similar IDSs may have
identical vulnerabilities, and their selection criteria may miss similar attacks. Knowing how
to evade a particular model of IDS is an important piece of intelligence passed within the
attacker community. Of course, once manufacturers become aware of a shortcoming in their
products, they try to fix it. Fortunately, commercial IDSs are pretty good at identifying
attacks. Another IDS limitation is its sensitivity, which is difficult to measure and adjust.
IDSs will never be perfect, so finding the proper balance is critical.
In general, IDSs are excellent additions to a network's security. Firewalls block
traffic to particular ports or addresses; they also constrain certain protocols to limit their
impact. But by definition, firewalls have to allow some traffic to enter a protected area.
11
Watching what that traffic actually does inside the protected area is an IDS's job, which it
does quite well.
Secure Email:
We rely on e-mail's confidentiality and integrity for sensitive and important communications,
even though ordinary e-mail has almost no confidentiality or integrity. Here we investigate
how to add confidentiality and integrity protection to ordinary e-mail.
Security of email:
Sometimes we would like e-mail to be more secure. To define and implement a more secure
form, we begin by examining the exposures of ordinary e-mail.
Threats to E-mail
Designs:
One of the design goals for encrypted e-mail was allowing security-enhanced messages to
travel as ordinary messages through the existing Internet e-mail system. This requirement
ensures that the large existing e-mail network would not require change to accommodate
security. Thus, all protection occurs within the body of a message.
Confidentiality:
The encrypted e-mail standard works most easily as just described, using both symmetric and
asymmetric encryption. The standard is also defined for symmetric encryption only: To use
12
symmetric encryption, the sender and receiver must have previously established a shared
13
secret encryption key. The processing type ("Proc-Type") field tells what privacy
enhancement services have been applied. In the data exchange key field ("DEK-
Info"), the kind of key exchange (symmetric or asymmetric) is shown. The key
exchange ("Key-Info") field contains the message encryption key, encrypted under
this shared encryption key. The field also identifies the originator (sender) so that
the receiver can determine which shared symmetric key was used. If the key
exchange technique were to use asymmetric encryption, the key exchange field
would contain the message encryption field, encrypted under the recipient's public
key. Also included could be the sender's certificate (used for determining
authenticity and for generating replies). The encrypted e-mail standard supports
multiple encryption algorithms, using popular algorithms such as DES, triple DES,
and AES for message confidentiality, and RSA and Diffie-Hellman for key
exchange.
Encrypted e-mail provides strong end-to-end security for electronic mail. Triple
DES, AES, and RSA cryptography are quite strong, especially if RSA is used with a
long bit key (1024 bits or more). The vulnerabilities remaining with encrypted e-
mail come from the points not covered: the endpoints. An attacker with access could
subvert a sender's or receiver's machine, modifying the code that does the privacy
enhancements or arranging to leak a cryptographic key.
14