Network Security Overview

Chapter 1
Network Security Overview
J. Wang and Z. Kissel. Introduction to Network Security: Theory and Practice. Wiley and HEP, 2015
Why Is Security Important?
Internet Public network

Build on TCP/IP
Store and Forward technology
Chapter 1 Outline
1.1 Mission and Definitions

1.2 Common Attacks and Defense Mechanisms
1.3 Attacker Profiles
1.4 Basic Security Model
1.5 Security Resources
Mission and Definitions
What is data?
Any object that can be processed or executed by a
computer
Two states of data
transmission state
storage state
Tasks of Network Security
Data confidentiality
including data in transmission and storage states
Data integrity
including data in transmission and storage state
Data non-repudiation
Data availability
Loopholes, Flaws, and Defects
Passive Defense: Who and Where?

Multiple-layer defense mechanism
Broader Scope - Information Security
Chapter 1 Outline

Eavesdropping
Common packet sniffers: TCPdump, Wireshark

Solution - Encrypt Data
Cryptanalysis
Cryptanalysis
Find useful information from ciphertext data
e.g. analyzing statistical structure
Defense method
Use longer keys and stronger encryption algorithm
Password Pilfering
Password Pilfering
Password protection is often the first defense
line, which may be the only defense available
in the system
Methods to pilfer user password:
Guessing
Social engineering
Dictionary attacks
Password sniffing
Guessing
Easiest, particularly on short or default passwords
Most commonly-used passwords (ref. SpashData):
123456
password
12345678
qwerty (which are keys below 123456 on standard keyboard
abc123
123456789
111111
1234567
Iloveyou
adobe123
Social Engineering
Methods of using social skills to pilfer secret information
Physical Impersonation
The attacker pretends to be a different person to delude the
victim
Phishing
The most common form of mass social engineering attacks in
recent years
Disguised email messages or masquerade web sites
See the next slide for a real phishing example verbatim (note the
typos in the phishing email), where the link in the email is a trap
Date: Fri, 5 Oct 2007 16:11:46 -0700
From: US Bank [email protected]
Subject: US Bank Internet Online Access is Locked October 5, 2007 at 12:23:05 PM
Dear US Bank Customer,
Were sorry, but you reached the maximum number of attempts allowed to
login into your US Bank account. For your protection, we have locked your
account.
Consequently, we placed a temporary restriction on your account. We did this
to protect your account from any fraudulent activity.
Please click below and complete the steps to Remove Limitations. This allows
us to confirm your identity and unlock your US Bank online account
http://www4-usbank.com/
If we do no receive the appropriate account verification within 48 hours, then
we will assume this US Bank account is fraudulent and will be suspented.
US Bank, Member FDIC. @2007 US Bank Corporation. All Rights Reserved.
In general, any phishing email would contain a link to a bogus
Web site, called a phishing site
Other forms
Collect recycled papers from recycling bins
Web browser pop up a window asking for user login
Defense Method Anti-phishing extensions of web browsers are

emerging technology for detecting and blocking phishing sites
Dictionary Attacks
Only encrypted passwords should be stored in a computer
system
in UNIX/Linux:
passwords are stored in a file named shadows under
directory /etc
in Windows XP:
passwords are stored in a file named SAM, which is
stored in the systems registry
A typical dictionary attack proceeds as follows:
Obtain information of user names and the corresponding

encrypted passwords
Run the encryption routine used by the underlying system on all
dictionary words, names, and dates
Compare each output obtained from step 2 with the encrypted
passwords obtained from step 1. If a match presents, a user
password is found
Constructing a Rainbow table helps to reduce the table size and

make the computation manageable
Password Sniffing
Password sniffers are software programs, used to capture
remote login information such as user names and user
passwords
Defense Method encrypt all message, include login information,

using, e.g., SSH and HTTPS
Cain & Abel, a password recovery tool, can capture and crack
encrypted password for the Microsoft Operating System
Password Protection
Rules to help protect passwords from pilfering:
1. Use long passwords, with a combination of letters, capital letters, digits,
and other characters such as $,#,@. Do not use dictionary words,
common names and dates.
2. Do not reveal your passwords to anyone you do not know. Do not submit
to anyone who acts as if he has authority. If you have to give out your
password, do so face to face.
3. Change passwords periodically and do not reuse old passwords.
4. Do not use the same password for different accounts.
5. Do not use remote login software that does not encrypt user passwords
and other important personal information.
6. Shred all discarded papers using a good paper shredder.
7. Avoid entering any information in any popup window, and avoid clicking
on links in suspicious emails.
Other User-Authentication Methods
Use biometrics of unique biological features

connect biometric devices to a computer, such as
fingerprint readers and retina scanners
Use authenticating items electronic passes

authenticated by the issuer.
Authentication using user passwords is by far the easiest

method
Identity Spoofing
Identity spoofing attacks allow attackers to

impersonate a victim without using the victims
passwords
Man-in-the-middle attacks.
Message replays
Network spoofing attacks
Software exploitation attacks

Man-in-the-middle Attacks
Compromise a network device (or installs one of his own) between
two or more users. Using this device to intercept, modify, or
fabricate data transmitted between users.
Defense measures encrypting and authenticating IP packets

Message Replays
The attacker first intercepts a legitimate message and
retransmits it at a later time to the original receiver
For example, an attacker may intercept an authentication pass of
a legitimate user, and use it to impersonate this user to get the
services from the system
Defense Mechanisms
Attach a random number to the message. This number is referred to as
nonce (it requires to store the entire history)
Attach a time stamp to the message (it is impossible to synchronize
networked computers 100%; there will be a small error of time)
The best method is to use a nonce and a time stamp together (only
store the messages within a small time interval [t, t+t])
Network Spoofing
IP spoofing is one of the major network spoofing
techniques
SYN flooding
The attacker fills the target computers TCP buffer with a
large number of crafted SYN packets
Purpose: Make the target computer unable to establish
connection (i.e., to silent/mute the computer)
ARP spoofing, which is also known as ARP poisoning
SYN flooding
1. Attacker sends to victim a large number of crafted SYN packets
2. The victims computer is obliged to send an ACK packet to the
crafted source IP address contained in the SYN packet
according to the 3-way handshake protocol
3. Because the source IP address is crafted and unreachable, the
victim computer will never receive the ACK packet it is waiting
for, allowing the crafted SYN packet to remain in the TCP
buffer
4. The TCP buffer is completely occupied by the crafted SYN
packets, causing the computer unable to establish
communications with other computers
TCP Hijacking
V is a company computer
Alice, an employee of the company, is going to remote logon to V
1. Alice sends a SYN packet to V

2. The attacker intercepts this packet, and uses SYN flooding to mute V so
that V cant complete the three-way handshake
3. The attacker predicts the correct TCP sequence number for the ACK
supposed to be sent from V to Alice. The attacker then crafts an ACK
packet with the sequence number and Vs IP address and sends it to Alice
4. Alice verifies the ACK packet and sends an ACK packet to the attacker to
complete this handshake
5. The TCP connection is established between Alice and the attacker, instead
of between Alice and V.
ARP Spoofing
The attacker changes the legitimate MAC address of

a networked computer to a different MAC address
chosen by the attacker
Defense Method checking

Check MAC address and domain names
Buffer-Overflow Exploitation
Buffer-Overflow Exploitation
Buffer overflow, a.k.a. buffer overrun, is a common software flaw.
Buffer overflow occurs if the process writes more data into a buffer area
than it is supposed to hold
It is possible to exploit buffer

overflows to redirect the victims
program to execute attackers
own code located in a different
location. Such attacks often
exploit function calls in standard
memory layout, where the buffer
is placed in a heap and the
return address of the function
call is placed in a stack
General steps of buffer-overflow attack:
1. Find a program that is prone to buffer overflows (e.g. programs
use function do not check bounds)
2. Figure out the address of the attackers code
3. Determine the number of bytes that is long enough to overwrite
the return address
4. Overflow the buffer that rewrites the original return address of
the function call with the address of the attackers code
Defense method
1. Coding: follow good programming practice; always add
statements to check bounds when dealing with buffers
2. Compiling: insert a random canary value before a returned
address
Repudiation
In some situations the owner of the data may not

want to admit ownership of the data to evade
legal consequences
He may argue that he has never sent or received the
data in question
Defense method
Use stronger encryption and authentication algorithms
Intrusion
An illegitimate user gains access to someone elses computer
systems. Configuration loopholes, protocol flaws, and software side
effects may all be exploited by intruders
Intrusion detection is a technology for detecting intrusion incidents.

Closing TCP and UDP ports that may be exploited by intruders can
also help reduce intrusions
IP scans and Port scans are common hacking tools. However, it can
also help users to identify in their own systems which ports are open
and which ports may be vulnerable.
Traffic Analysis
The purpose is to determine who is talking to whom by

analyzing IP packets. Even if the payload of the IP
packet is encrypted, the attacker may still obtain useful
information from analyzing IP headers
Defense method Encrypt IP headers. But an IP packet

with an encrypted IP header cannot be routed to
destination. Thus, network gateways are needed
Network gateway also protects internal network topology
(1) Sender forwards an IP packet to gateway A. (2) gateway A encrypts senders
IP packet and routes it to the next router in the Internet. (3) The IP packet from
Gateway A is delivered to gateway B. (4) Gateway B removes its header,
decrypts the encrypted IP packet of the sender, and forwards it to the receiver.
Denial of Service Attacks
The goal is to block legitimate users from getting
services they can normally get from servers
DoS launched from a single computer
DDoS launched from a group of computers
DoS
SYN flooding is a typical and effective technique used by DoS
attacks. The smurf attack is another typical type of DoS attack
Attacker sends an excessive number of crafted ping requests to a large number of

computers within a short period of time, where the source IP address in the crafted
ping request is replaced with the victims IP address. Therefore, each computer that
receives the crafted ping request will respond to the victims computer with a pong
message.
DDoS
A typical DDoS attack proceeds as follows:
1. Compromise as many networked computers as possible
1. Install special software in the compromised computers to carry out a DoS
attack at a certain time later
2. Issue an attack command to every zombie computer to launch a DoS
attack on the same target at the same time
Spam Mail
Spam mails are uninvited email messages, which may be

commercial messages or phishing messages
While not intended to bring the users computer out of service, spam
mails do consume computing resources
Spamming also occurs in Web search engines, Instant Messaging,

blogs, mobile phone messaging, and other network applications
Defense method spam fillers are software solutions to detect and

block spam mails from reaching the users mailbox
Malicious Software
Software intended to harm computers is malicious

software. Malicious software is also referred to as
malware
Virus
Worms
Trojan horses
Logic bombs
Backdoors
Spyware
Viruses and Worms
A computer virus is a piece of software that can reproduce itself. A
virus is not a standalone program. It must attach itself to another
program or another file. A program or file that contains a virus is
called an infected host
A computer worm is also a piece of software that can reproduce

itself. Unlike a virus, a worm is a stand alone program.
Defense method
Do not download software from distrusted Web sites or other sources
Do not open any executable file given to you by someone you do not
know
Make sure software patches are installed and up to date
Trojan Horse
Trojan horses are software programs that appear to do
one thing, but secretly also perform other tasks
Trojan horses often disguise themselves as desirable

and harmless software applications to lure people to
download them
Defense method The same measures of combating

viruses and worms can also be used to combat Trojan
horses. Virus scans can also detect, quarantine, and
delete Trojan horses
Logic Bombs
Logic bombs are subroutines or instructions embedded in a
program. Their execution are triggered by conditional
statements
Defense method
Employers should take care of their employees, so that none would
be tempted to place a logic bomb
Project managers should hire an outside company or form a special
team of reviewers from a different group of people other than the
developer to review the source code
Relevant laws should be established so that employees who planted
logic bombs will face criminal charges
Backdoors
Backdoors are secret entrance points to a
program
They may be inserted by software developers to

provide a short cut to enter a password-protected
program when attempting to modify or debug code
Defense method check source code by an

independent team
Spyware
Spyware is a type of software that installs itself on the
users computer
Spyware is often used to monitor what users do and to

harass them with popup commercial messages
Browser Hijacking is a technique that changes the settings of
the users browsers
Zombieware software that takes over the users computer

and turns it into a zombie for launching DDoS attacks or into a
relay which carries out harmful activities such as sending
spam email or spreading viruses.
Spyward can also do a list of other things,
including
Monitoring monitor and report to a web server or to the
attackers machine a users surfing habits and patterns.
Password sniffing sniff user passwords by logging
users keystrokes using a keystroke logger
Adware software that automatically displays
advertising materials on the users computer screen.
Defense method use anti-spyware software to

detect and block spyware
Chapter 1 outline

Hackers
Hackers
Computer hackers are people with special knowledge of computer
systems. They are interested in subtle details of software, algorithms,
and system configurations
Black-Hat Hackers hack computing systems fro their own benefit
White-HatHackers hack computing systems for the purpose of

searching for security loopholes and developing solutions
Grey-Hat Hackers wear a white hat most of the time, but may also wear
a black hat once in a while
When discovering security vulnerabilities in a software product,

white-hat hackers and grey-hat hackers would often work directly
with the vendors of products to help fix the problems
Script Kiddies
Script kiddies are people who use scripts and

programs developed by black-hat hackers to
attack other peoples computers
Even though they do not know how to write

hacking tools or understand how an existing
hacking tool works, script kiddies could inflict a
lot of damage
Cyber Spies
Collecting intelligence through intercepted network
communications is the job of cyber spies
Countries have intelligence agencies

Military organizations have intelligence units (WWII
example)
They intercept network communications and

decipher encrypted messages
Vicious Employees, Cyber Terrorists
and Hypothetical Attackers
Vicious Employees
Vicious employees are people who intentionally breach security to harm
their employers
Cyber Terrorists
Cyber terrorists are terrorists who use computer and network
technologies to carry out their attacks and produce public fear
Hypothetical Attackers
black-hat hackers
script kiddies
greedy cyber spies who are willing to betray their countries or
organizations for monetary benefits
vicious employees
Chapter 1 outline

Basic Security Model
The basic security model consists of four components:

cryptosystems, firewalls, anti-malicious-software
systems (AMS software), and intrusion detection system
(IDS)
Network model of cryptosystem
1. Solusi apa dari sisi programmer untuk mengantisipasi
serangan buffer overflow?
2. Apa perbedaan serangan DOS dan DDOS ?
3. Bagaimana solusi untuk menghindari serangan bentuk
Trojan?
Chapter 1 outline

Example Security Resources
CERT
www.cert.org
SANS Institute
www.scans.org
Microsoft Security
www.microsoft.com/security/default.mspx
NTBugtraq
www.ntbugtraq.com
CVE database
www.cve.mitre.org

Network Security Overview

Uploaded by

Copyright:

Available Formats

Network Security Overview

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security Overview

Uploaded by

Copyright:

Available Formats

Chapter 1

Network Security Overview

Internet Public network

1.1 Mission and Definitions

Passive Defense: Who and Where?

Broader Scope - Information Security

1.1 Mission and Definitions

Common packet sniffers: TCPdump, Wireshark

qwerty (which are keys below 123456 on standard keyboard

Dear US Bank Customer,

US Bank, Member FDIC. @2007 US Bank Corporation. All Rights Reserved.

Defense Method Anti-phishing extensions of web browsers are

Obtain information of user names and the corresponding

Constructing a Rainbow table helps to reduce the table size and

Defense Method encrypt all message, include login information,

Use biometrics of unique biological features

Use authenticating items electronic passes

Authentication using user passwords is by far the easiest

Identity spoofing attacks allow attackers to

Network spoofing attacks

Software exploitation attacks

Defense measures encrypting and authenticating IP packets

ARP spoofing, which is also known as ARP poisoning

1. Alice sends a SYN packet to V

The attacker changes the legitimate MAC address of

Defense Method checking

It is possible to exploit buffer

In some situations the owner of the data may not

Intrusion detection is a technology for detecting intrusion incidents.

The purpose is to determine who is talking to whom by

Defense method Encrypt IP headers. But an IP packet

Network gateway also protects internal network topology

DoS launched from a single computer

DDoS launched from a group of computers

Attacker sends an excessive number of crafted ping requests to a large number of

Spam mails are uninvited email messages, which may be

Spamming also occurs in Web search engines, Instant Messaging,

Defense method spam fillers are software solutions to detect and

Software intended to harm computers is malicious

A computer worm is also a piece of software that can reproduce

Trojan horses often disguise themselves as desirable

Defense method The same measures of combating

They may be inserted by software developers to

Defense method check source code by an

Spyware is often used to monitor what users do and to

Zombieware software that takes over the users computer

Defense method use anti-spyware software to

1.1 Mission and Definitions

White-HatHackers hack computing systems for the purpose of

When discovering security vulnerabilities in a software product,

Script kiddies are people who use scripts and

Even though they do not know how to write

Countries have intelligence agencies

They intercept network communications and

1.1 Mission and Definitions

The basic security model consists of four components:

1.1 Mission and Definitions

You might also like