Scribd Logo
Upload

Welcome to Scribd!

  • 41 views

    Introduction To Network Security: Guest Lecture Debabrata Dash

    Uploaded by

    Ankit Rohatgi
    This document provides an outline and overview of topics related to network security. It introduces security vulnerabilities at different layers of the TCP/IP protocol suite and different types of attacks. It discusses denial of service attacks and distributed denial of service attacks. It then covers firewalls as a mechanism to limit network access and enforce security policies, including packet filtering firewalls and proxy firewalls. Finally, it introduces intrusion detection systems as a complementary technique to firewalls for monitoring network traffic and detecting attacks.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd

    Introduction To Network Security: Guest Lecture Debabrata Dash

    Uploaded by

    Ankit Rohatgi
    41 views47 pages
    This document provides an outline and overview of topics related to network security. It introduces security vulnerabilities at different layers of the TCP/IP protocol suite and different types of attacks. It discusses denial of service attacks and distributed denial of service attacks. It then covers firewalls as a mechanism to limit network access and enforce security policies, including packet filtering firewalls and proxy firewalls. Finally, it introduces intrusion detection systems as a complementary technique to firewalls for monitoring network traffic and detecting attacks.

    Original Description:

    ....

    Original Title

    26-security2

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides an outline and overview of topics related to network security. It introduces security vulnerabilities at different layers of the TCP/IP protocol suite and different types of attacks. It discusses denial of service attacks and distributed denial of service attacks. It then covers firewalls as a mechanism to limit network access and enforce security policies, including packet filtering firewalls and proxy firewalls. Finally, it introduces intrusion detection systems as a complementary technique to firewalls for monitoring network traffic and detecting attacks.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    41 views47 pages

    Introduction To Network Security: Guest Lecture Debabrata Dash

    Uploaded by

    Ankit Rohatgi
    This document provides an outline and overview of topics related to network security. It introduces security vulnerabilities at different layers of the TCP/IP protocol suite and different types of attacks. It discusses denial of service attacks and distributed denial of service attacks. It then covers firewalls as a mechanism to limit network access and enforce security policies, including packet filtering firewalls and proxy firewalls. Finally, it introduces intrusion detection systems as a complementary technique to firewalls for monitoring network traffic and detecting attacks.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    of 47

    Introduction to

    Network Security

    Guest Lecture
    Debabrata Dash
    Outline
    Security Vulnerabilities
    DoS and D-DoS
    Firewalls
    Intrusion Detection Systems
    Security Vulnerabilities
    Security Problems in the TCP/IP Protocol
    Suite Steve Bellovin - 89
    Attacks on Different Layers
    IP Attacks
    ICMP Attacks
    Routing Attacks
    TCP Attacks
    Application Layer Attacks

    Why?
    TCP/IP was designed for connectivity
    Assumed to have lots of trust


    Host implementation vulnerabilities
    Software had/have/will have bugs
    Some elements in the specification were left
    to the implementers
    Security Flaws in IP
    The IP addresses are filled in by the originating host
    Address spoofing
    Using source address for authentication
    r-utilities (rlogin, rsh, rhosts etc..)
    Internet
    2.1.1.1 C
    1.1.1.1 1.1.1.2 A
    B
    1.1.1.3 S
    Can A claim it is B to the
    server S?
    ARP Spoofing
    Can C claim it is B to the
    server S?
    Source Routing
    Security Flaws in IP
    IP fragmentation attack
    End hosts need to keep the fragments till all the
    fragments arrive


    Traffic amplification attack
    IP allows broadcast destination
    Problems?
    Ping Flood
    Attacking System
    Internet
    Broadcast
    Enabled
    Network
    Victim System
    ICMP Attacks
    No authentication
    ICMP redirect message
    Can cause the host to switch gateways
    Benefit of doing this?
    Man in the middle attack, sniffing
    ICMP destination unreachable
    Can cause the host to drop connection
    ICMP echo request/reply
    Many more
    http://www.sans.org/rr/whitepapers/threats/477.php
    Routing Attacks
    Distance Vector Routing
    Announce 0 distance to all other nodes
    Blackhole traffic
    Eavesdrop
    Link State Routing
    Can drop links randomly
    Can claim direct link to any other routers
    A bit harder to attack than DV
    BGP
    ASes can announce arbitrary prefix
    ASes can alter path
    TCP Attacks
    Issues?
    Server needs to keep waiting for ACK y+1
    Server recognizes Client based on IP address/port
    and y+1

    Client
    Server
    SYN x
    SYN y | ACK x+1
    ACK y+1
    TCP Layer Attacks
    TCP SYN Flooding
    Exploit state allocated at server after initial
    SYN packet
    Send a SYN and dont reply with ACK
    Server will wait for 511 seconds for ACK
    Finite queue size for incomplete connections
    (1024)
    Once the queue is full it doesnt accept
    requests
    TCP Layer Attacks
    TCP Session Hijack
    When is a TCP packet valid?
    Address/Port/Sequence Number in window
    How to get sequence number?
    Sniff traffic
    Guess it
    Many earlier systems had predictable ISN
    Inject arbitrary data to the connection
    TCP Layer Attacks
    TCP Session Poisoning
    Send RST packet
    Will tear down connection
    Do you have to guess the exact sequence
    number?
    Anywhere in window is fine
    For 64k window it takes 64k packets to reset
    About 15 seconds for a T1

    Application Layer Attacks
    Applications dont authenticate properly
    Authentication information in clear
    FTP, Telnet, POP
    DNS insecurity
    DNS poisoning
    DNS zone transfer
    An Example
    Shimomura (S)
    Trusted (T)
    Mitnick
    Finger
    Finger @S
    showmount e
    Send 20 SYN packets to S

    Attack when no one is around
    What other systems it trusts?
    Determine ISN behavior
    Showmount -e
    SYN
    An Example
    Shimomura (S)
    Trusted(T)
    Mitnick
    Finger @S
    showmount e
    Send 20 SYN packets to S
    SYN flood T
    Attack when no one is around
    What other systems it trusts?
    Determine ISN behavior
    T wont respond to packets
    Syn flood
    X
    An Example
    Shimomura (S)
    trusted (T)
    Mitnick (M)
    Finger @S
    showmount e
    Send 20 SYN packets to S
    SYN flood T
    Send SYN to S spoofing as T
    Send ACK to S with a
    guessed number
    Attack when no one is around
    What other systems it trusts?
    Determine ISN behavior
    T wont respond to packets
    S assumes that it has a session
    with T
    X
    SYN
    SYN|ACK
    ACK
    An Example
    Shimomura (S)
    Trusted (T)
    Mitnick
    Finger @S
    showmount e
    Send 20 SYN packets to S
    SYN flood T
    Send SYN to S spoofing as T
    Send ACK to S with a
    guessed number
    Send echo + + > ~/.rhosts
    Attack when no one is around
    What other systems it trusts?
    Determine ISN behavior
    T wont respond to packets
    S assumes that it has a session
    with T
    Give permission to anyone from
    anywhere
    X
    ++ >rhosts
    Outline
    Security Vulnerabilities
    DoS and D-DoS
    Firewalls
    Intrusion Detection Systems
    You are here
    Denial of Service
    Objective make a service unusable, usually
    by overloading the server or network

    Consume host resources
    TCP SYN floods
    ICMP ECHO (ping) floods

    Consume bandwidth
    UDP floods
    ICMP floods

    Denial of Service
    Crashing the victim
    Ping-of-Death
    TCP options (unused, or used incorrectly)

    Forcing more computation
    Taking long path in processing of packets

    Simple DoS
    Attacker
    Victim Victim Victim
    The Attacker usually spoofed
    source address to hide origin
    Easy to block
    Coordinated DoS
    Attacker
    Victim Victim Victim
    Attacker Attacker
    The first attacker attacks a different victim to cover up the real attack
    The Attacker usually spoofed source address to hide origin
    Harder to deal with
    Distributed DoS
    Attacker
    Handler Handler
    Agent Agent Agent Agent Agent
    Victim
    Distributed DoS
    The handlers are usually very high volume servers
    Easy to hide the attack packets
    The agents are usually home users with DSL/Cable
    Already infected and the agent installed
    Very difficult to track down the attacker
    How to differentiate between DDoS and Flash Crowd?
    Flash Crowd Many clients using a service legimitaly
    Slashdot Effect
    Victoria Secret Webcast
    Generally the flash crowd disappears when the network is
    flooded
    Sources in flash crowd are clustered
    Outline
    Security Vulnerabilities
    DoS and D-DoS
    Firewalls
    Intrusion Detection Systems
    You are here
    Firewalls
    Lots of vulnerabilities on hosts in network
    Users dont keep systems up to date
    Lots of patches
    Lots of exploits in wild (no patch for them)
    Solution?
    Limit access to the network
    Put firewalls across the perimeter of the
    network
    Firewalls (contd)
    Firewall inspects traffic through it
    Allows traffic specified in the policy
    Drops everything else
    Two Types
    Packet Filters, Proxies
    Internet
    Internal Network
    Firewall
    Packet Filters
    Packet filter selectively passes packets from one
    network interface to another
    Usually done within a router between external
    and internal networks
    screening router

    Can be done by a dedicated network element
    packet filtering bridge
    harder to detect and attack than screening routers
    Packet Filters Contd.
    Data Available
    IP source and destination addresses
    Transport protocol (TCP, UDP, or ICMP)
    TCP/UDP source and destination ports
    ICMP message type
    Packet options (Fragment Size etc.)
    Actions Available
    Allow the packet to go through
    Drop the packet (Notify Sender/Drop Silently)
    Alter the packet (NAT?)
    Log information about the packet


    Packet Filters Contd.
    Example filters
    Block all packets from outside except for
    SMTP servers
    Block all traffic to a list of domains
    Block all connections from a specified domain
    Typical Firewall Configuration
    Internal hosts can access DMZ
    and Internet
    External hosts can access DMZ
    only, not Intranet
    DMZ hosts can access Internet
    only
    Advantages?
    If a service gets compromised
    in DMZ it cannot affect internal
    hosts
    Internet
    Intranet
    DMZ
    X
    X
    Example Firewall Rules
    Stateless packet filtering firewall
    Rule (Condition, Action)
    Rules are processed in top-down order
    If a condition satisfied action is taken
    Sample Firewall Rule
    Dst
    Port
    Alow
    Allow
    Yes
    Any
    > 1023
    22
    TCP 22
    TCP > 1023
    Ext Int Out SSH-2
    Int Ext In SSH-1
    Dst
    Addr
    Proto
    Ack
    Set?
    Action
    Src
    Port
    Src
    Addr
    Dir Rule
    Allow SSH from external hosts to internal hosts
    Two rules
    Inbound and outbound
    How to know a packet is for SSH?
    Inbound: src-port>1023, dst-port=22
    Outbound: src-port=22, dst-port>1023
    Protocol=TCP
    Ack Set?
    Problems?
    SYN
    SYN/ACK
    ACK
    Client Server
    Default Firewall Rules
    Egress Filtering
    Outbound traffic from external address Drop
    Benefits?
    Ingress Filtering
    Inbound Traffic from internal address Drop
    Benefits?
    Default Deny
    Why?
    Any
    Dst
    Port
    Any Deny Any Any Int Any Int In Ingress
    Deny Any Any Ext Any Ext Out Egress
    Any Deny Any Any Any Any Any Any Default
    Dst
    Addr
    Proto
    Ack
    Set?
    Action
    Src
    Port
    Src
    Addr
    Dir Rule
    Packet Filters
    Advantages
    Transparent to application/user
    Simple packet filters can be efficient
    Disadvantages
    Usually fail open
    Very hard to configure the rules
    Doesnt have enough information to take actions
    Does port 22 always mean SSH?
    Who is the user accessing the SSH?
    Alternatives
    Stateful packet filters
    Keep the connection states
    Easier to specify rules
    More popular
    Problems?
    State explosion
    State for UDP/ICMP?
    Alternatives
    Proxy Firewalls
    Two connections instead of one
    Either at transport level
    SOCKS proxy
    Or at application level
    HTTP proxy
    Requires applications (or dynamically
    linked libraries) to be modified to use the
    proxy
    Proxy Firewall
    Data Available
    Application level information
    User information
    Advantages?
    Better policy enforcement
    Better logging
    Fail closed
    Disadvantages?
    Doesnt perform as well
    One proxy for each application
    Client modification

    Outline
    Security Vulnerabilities
    DoS and DDoS
    Firewalls
    Intrusion Detection Systems
    You are here
    Intrusion Detection Systems
    Firewalls allow traffic only to legitimate
    hosts and services
    Traffic to the legitimate hosts/services can
    have attacks
    CodeReds on IIS
    Solution?
    Intrusion Detection Systems
    Monitor data and behavior
    Report when identify attacks
    Types of IDS
    Host-based
    Network-
    based
    Signature-
    based
    Anomaly-
    based
    Signature-based IDS
    Characteristics
    Uses known pattern matching
    to signify attack
    Advantages?
    Widely available
    Fairly fast
    Easy to implement
    Easy to update
    Disadvantages?
    Cannot detect attacks for which it has no signature

    Anomaly-based IDS
    Characteristics
    Uses statistical model or machine learning engine to characterize
    normal usage behaviors
    Recognizes departures from normal as potential intrusions
    Advantages?
    Can detect attempts to exploit new and unforeseen vulnerabilities
    Can recognize authorized usage that falls outside the normal pattern
    Disadvantages?
    Generally slower, more resource intensive compared to signature-
    based IDS
    Greater complexity, difficult to configure
    Higher percentages of false alerts
    Network-based IDS
    Characteristics
    NIDS examine raw packets in the network
    passively and triggers alerts
    Advantages?
    Easy deployment
    Unobtrusive
    Difficult to evade if done at low level of
    network operation
    Disadvantages?
    Fail Open
    Different hosts process packets differently
    NIDS needs to create traffic seen at the
    end host
    Need to have the complete network
    topology and complete host behavior
    Host-based IDS
    Characteristics
    Runs on single host
    Can analyze audit-trails, logs, integrity of files and
    directories, etc.
    Advantages
    More accurate than NIDS
    Less volume of traffic so less overhead
    Disadvantages
    Deployment is expensive
    What happens when host get compromised?
    Summary
    TCP/IP security vulnerabilities
    Spoofing
    Flooding attacks
    TCP session poisoning
    DOS and D-DOS
    Firewalls
    Packet Filters
    Proxy
    IDS
    Signature and Anomaly IDS
    NIDS and HIDS

    You might also like