Department of

Information
Technology

Internet Security Unit no: 1

Internetwork Security
and Web Analytics
(3171616)

Prof. Ankita Paul

  Picking a security policy, Host based security,
Perimeter security, strategy for secure network

 Security Review of protocols – lower layer and upper

layer
Content
 The Web Threat or Menace?

 Classes of attacks
Picking a
Security Policy  A security Policy is the set of decisions that, collectively,
determines an organization’s posture toward security.
 A security policy delimits the boundaries of acceptable
behavior, and what the response to violations should be.
 Your security policy may determine what legal recourse you
have if you are ever attacked.
  You must first decide what is and is not permitted.
 Some companies may issue an edict that bars personal
use of corporate computers.
 Some companies wish to restrict exporting valuable
data.
Picking a  Other policies may be driven by technological
considerations: A specific protocol, though undeniably
Security Policy useful, may not be used because it cannot be administered
securely.
 Making such decisions is clearly an iterative process, and
one’s choices should never be carved in stone.
 It is hard to form these policies. You often need someone
with both the clout of a CEO and the expertise of a security
wizard.
 Policy Questions
“What resources are you trying to protect?”
 CPU cycles, software with certain configuration files, storage
devices, cryptographic keys, and so on.

Picking a  The answer to this first question will dictate the host-specific
measures that are needed. Machines with sensitive files may
Security Policy require extra security measures: stronger authentication,
keystroke logging and strict auditing, or even file encryption.
“Who is interested in attacking you?”

“How much security can you afford?

 Financial expenditures like extra routers, firewalls, software
packages, etc.
 Policy Questions
 Too much security can hurt as surely as too little can. Annoyed by
increases in security, good peosdple have left companies.
Stance
“Anything you don’t understand is dangerous until you do understand
Picking a it”
 A key decision in the policy is the stance of your design. The
Security Policy stance is the attitude of the designers.
 A philosophy says that, “We’ll run it unless you can show me that
it’s broken.”
 People at other end say, “Show me that it’s both safe and
necessary ; otherwise, we won’t run it.”
 Fail-Safe Design – if we have overlooked a security hole or
installed a broken program, we believe our firewalls are still safe.
 Stance

 Whether or not a security policy is formally spelled out, one always

exists.
 If nothing else is said or implemented, the default policy is
Picking a “anything goes”.
Security Policy
  If a host is connected to a network, it ought to be up to the
host to protect itself from network-borne abuses.
 Windows run many services, resulting in more potential
holes
 Do you know what services are running on your corporate
Windows machine?
Host-Based  Do you know how to find out, how to disable them, and how
Security to do it reliably on machine?
 Can you tell if some user has turned a service back on?
 Do you know what new functions are enabled by vendor
service packs?
 The hosts that tend to be safer include the commercial
firewalls, which were originally built with security as their
primary goal.
  If it is too difficult to secure each house in a neighborhood,
perhaps the residents can band together to build a wall
around the town.
 Well-trained guards can be posted at the gates while the
people go about their business.
 This approach is called perimeter security, and it is very
Perimeter important on the Internet.
Security  It has two components: the wall and the gate.
 On the Internet, the gate is implemented with a firewall, a
configuration of machines and software that allows the
town’s people to do their business, without letting the Bad
Guys in.
 To be effective, the wall should go all the way around the
town, and be high enough and thick enough to withstand
attack.
 Host Security
 Transitive Trust
 By taking over root, system’s identity or by taking over some
user account
 No matter how well written the code and how clean the
Strategies for a design, subsequent human error can negate all of the
protections. Consider the following sequence of events:
Secure  A gateway machine malfunctioned on a holiday weekend,
Network when none of the usual system administrators was available.
 The backup expert could not diagnose the problem over the
phone and needed a guest account created.
 The operator added the account guest, with no password.
 The expert neglected to add a password.
 The operator forgot to delete the account.
 Some university students found the account within a day and
told their friends.
 Gateways and Firewalls
 Recommend firewalls to protect networks
Strategies for a  Firewall –
Secure  All traffic from inside to outside, and vice-versa, must pass
through the firewall.
Network  Only authorized traffic, as defined by the local security policy,
will be allowed to pass.
 Gateways
 DMZs
 A demilitarized zone (DMZ) is a perimeter network that
Strategies for a protects an organization’s internal local-area network (LAN)
Secure from untrusted traffic.
 A common DMZ meaning is a subnetwork that sits between
Network the public internet and private networks.
 Basic Protocols

Security
Review of
Protocols:
Lower Layers
 IP
 IP is an unreliable datagram service.
 There is no guarantee that a packet was actually sent from the
given source address. Any host can transmit a packet with any
source address. - IP spoofing ( Attackers can send packets with
faked return addresses). Authentication and security – must be
Security mechanisms in higher layers of protocol
Review of  A packet travelling a long distance will travel through many hops.
Protocols:  A router may drop packet due to traffic
Lower Layers  If a packet is too large, it is fragmented.
 Some packet filters have been breached by being fed packets with
pathological fragmentation. (filter can misprocess or simply pass
the second packet.)
 IP addresses – IPv4 – CIDR – 207.99.106.128/25
 Directed Broadcast
 ARP
 It is used to mediate between Ethernet and the network layer.
 ARP works by sending out an Ethernet broadcast packet
containing the desired IP address. That destination host, or
Security another system acting on its behalf, replies with a packet
Review of containing the IP and Ethernet address pair.
Protocols:  There is considerable risk here if untrusted nodes have write
access to the local net. Such a machine could emit phony ARP
Lower Layers queries or replies and divert all traffic to iteself – called ARP
spoofing


Security
Review of TCP
Protocols:  Provide reliable virtual circuit to users.
Lower Layers
 TCP

Security
Review of
Protocols:  Attackers have gamed this half-open state. SYN attacks flood
Lower Layers the server with the first packet only, connection will never be
completed.
 If an attacker can predict the target’s choice of starting points
(possible under certain circumstances) - then it is possible for
the attacker to trick the target into believing that it is talking
to a trusted machine. This is known as a sequence number
attack.
 UDP
 User Datagram Protocol – Delivery is on a best-effort basis;
there is no error correction, retransmission or lost, duplicated,
or re-ordered packet detection. Even error detection is
optional with UDP.
Security
Review of  It is much easier to spoof UDP packets than TCP packets, as
Protocols: there are no handshakes or sequence numbers. Extreme
Lower Layers caution is therefore indicated when using the source address
from any such packet.

 Applications that care must make their own arrangements for

authentication.
 ICMP – Internet Control Message Protocol
 It is used to inform hosts of a better route to a destination, to
report trouble with a route, or to terminate a connection
because of network problems.
 Many ICMP messages received on a given host are specific to
Security a particular connection or are triggered by a packet sent by an
Review of that machine.
Protocols:  Worse things can be done with Redirect messages. The
Lower Layers Redirect messages should be obeyed only by hosts, not
routers, and only when a message comes from a router on a
directly attached network.
 However, not all routers are that careful; it is sometimes
possible to abuse ICMP to create new paths to a destination.
If that happens, you are in serious trouble indeed.
 Managing Addresses and Names
Routers and Routing Protocols
 Routing information establishes two paths: from the calling
machine to the destination and back.

Security  The second path may or may not be the reserve of the first.
Review of When they are not, it is called an asymmetric route.
Protocols:
Lower Layers  There are a number of ways to attack the standard routing
facilities. The easiest way to employ the IP loose source route
option. With it, the person initiating a TCP connection can
specify an explicit path to the destination, overriding the
usual route selection process.
 Managing Addresses and Names
Routers and Routing Protocols
 Another path attackers can take is to play games with the
routing protocols themselves.
Security
Review of  For example, it is relatively easy to inject bogus Routing
Protocols: Information Protocol (RIP) packets into a network. Hosts and
other routers will generally believe them.
Lower Layers
 If the attacking machine is closer to the target, it is easy to
divert traffic and much harder to detect this.
 Managing Addresses and Names
The Domain Name System (DNS)
 The separation between forward naming and backward
naming can lead to trouble.
Security  A hacker who controls a portion of the inverse mapping tree
can make it lie.
Review of  That is, the inverse record could falsely contain the name of a
Protocols: machine your machine trusts. The attacker then attempts an
Lower Layers rlogin to your machine, which, believing the phony record,
will accept the call.
 Another variant, the attacker contaminates the target’s cache
of DNS responses prior to initiating the call. When the target
does the cross-check, it appears to succeed, and the intruder
gains access. (poisoning DNS caches)
 Managing Addresses and Names
IP version 6
 Easy renumbering is one of the design goals. They need to
Security know about authentic renumbering events; fraudulent ones
Review of should.
Protocols:
Lower Layers  The simplest address type is the global unicast address, which
is similar to IPv4 addresses. In the absence of other
configuration mechanisms, hosts can generate their own
IPv6 address from the local prefix and their MAC address.
 Wireless Security
 To provide random, casual access to these networks, the
Security protocol designers added a symmetric key encryption
algorithm called Wired Equivalent Privacy (WEP).
Review of  WEP was easily broken authentication mechanism. It provides
Protocols: a sense of security, without useful security.
Lower Layers
 Remember that just because you cannot access your wireless
network from parking lot, it does not mean that someone
with a high gain antenna cannot reach it from a mile away.
 Messaging
SMTP

Security
Review of
Protocols:
Upper Layers

 In traditional SMTP, the caller specified a return address in

the MAIL FROM command. At this level, there is no reliable
way for the local machine to verify the return address. You do
not know for sure who sent you mail based on SMTP.
 Messaging
Security MIME
Review of  The content of the mail can also pose dangers. Apart from
Protocols: possible bugs in the receiving machine’s mailer, automated
Upper Layers execution of Multipurpose Internet Mail Extensions (MIME) –
encoded messages is potentially quite dangerous.
 The Web Protocols
HTTP
 A typical HTTP session consists of a GET command specifying
a URL.

The Web:
Threat or
Menance?
 The Web Protocols
HTTP
 HTTP methods
 GET
 POST
 PUT
The Web:  DELETE
Threat or  HEAD

Menance?  Managing Connection State

 Concept of Session
1) link requests is to encode state information in the next URL to
be used by client.
 For example, URL: /cgi-bin/nxt?state=189752fkj
2) If HTML forms are being used, is to include HIDDEN input
fields. These are uploaded with the next POST request, just as
ordinary form fields are, but they are not displayed to the user.
3) Cookies
 The Web Protocols
SSL (Secure Socket Layer - Protocol)
 It is used to provide a cryptographically protected channel for
HTTP requests.
The Web:  In general, the serve is identified by a certificate.
Threat or  SSL, contains a cryptographic association identifier. This
Menance? connection identifier also serve as a web session identifier.
 There is no guarantee that the session identifier is random.

FTP
 User can supply simple web content – files, pictures, - without
installing and supporting an entire web server.
 The Web Protocols
URLs
 A URL specifies a protocol, a host, and (usually) a file name
somewhere on the Internet. For example:
The Web: http://wilyhacker.com:8080/ches/
Threat or  is a pointer to a home-page. The protocol here, and almost
always, is http.
Menance?
 Risks to the Clients
 Web clients are at risks because servers tell them what to do,
often without the content or knowledge of the user.
 Browsers do offer users optional notification when some
dangerous activities or changes occur.
The Web: ActiveX
Threat or  Microsoft’s AvtiveX controls can not harm you if you run
UNIX. However, in the Windows environment, they represent
Menance? a serious risk to Web clients.
Java and Applets
JavaScript
Browsers
 Risks to the Server
Access Controls
 Web servers can be configured to restrict access to files in
particular directories.
 When a user requests a file in the protected directory, the
The Web: server sends a reply that authentication is needed. This is
called Basic Authentication.
Threat or  It is weak type access control, the information is encoded but not
Menance? cryptographically protected.
 There is also a protocol called Digest Authentication that does
not reveal the password, but instead uses it to compute
function. More secure than Basic Authentication.
 It is still vulnerable to dictionary attack.
 Risks to the Server
Server –Side Scripts

Securing the Server Host

The Web:
Threat or Choice of Server
Menance?
 Web Servers vs. Firewalls
A Web server on the inside of a firewall

The Web:
Threat or
Menance?  It is to put the Web server inside the firewall, with a hole
punched through to allow outside access. This is similar to
some mail or netnews gateways this protects most of the
server from attack.
 If the Web server itself is penetrated, the entire inside
network is open to attack.
 Web Servers vs. Firewalls
A web server on the outside of a firewall

The Web:
Threat or
Menance?
 It is to put the Web server outside the firewall, that may work
if the machine is armored from attack. Web servers are not
general-purpose machines; all of the other dangerous services
can be turned off, much as they are on firewall machines.
 That will suffice if you have a secure method of updating the
content on the server.
 Web Servers vs. Firewalls
A web server with firewalls on either side

The Web:
Threat or
Menance?
 The net the server is on – the DMZ net – needs more than the
customary amount of protection.
 If you are using a dynamic or conventional packet filter, there
is no problem unless you are trying to do content filtering; it is
easy to configure the firewall to pass the packets untouched.
 Web Servers vs. Firewalls
A web server with firewalls on either side

The Web:
Threat or
Menance?
 If you are using an application gateway, or if you are using a
circuit relay other than socks, life is a bit more complex. The
best solution is to require the use of a Web proxy, a special
program that will relay Web requests.
 Next, either configure the firewall to let the proxy speak
directly to the world, or modify the source code to one of the
free proxy servers to speak to your firewall.
 The Web and Databases
 An increasingly common use for Web servers is to use them as
front ends for databases of one sort or another.
 The reason is simple: Virtually every user and every platform
has high-quality browser available. Furthermore, writing
The Web: HTML and the companion CGI scripts is probably easier than
doing native-mode programming for X11.
Threat or  If web servers are as vulnerable and fragile as we claim, it may
Menance? be a risky strategy. Given that the most valuable resource is
generally the database itself, our goal is to protect it, even if
the web server is compromised.
 We do this by putting the database engine on a separate
machine, with a firewall between it and the Web server.
 1. Stealing Password
 A successful login is based on supplying the correct password
within a reasonable number of tries.

 The history of the generic login program, one system’s

security was based on the secrecy of the name of that
Classes of password file: it was readable by any who knew its name. The
Attacks system’s security was “protected” by ensuring that the
system’s directory command would not list that filename.

 A high percentage of system penetrations occur because of

the failure of the entire password system.

 The most common problem is that people tend to pick very

bad passwords.
 2. Social Engineering

Classes of
Attacks
 There are other approaches as well, such as mail-spoofing.
 2. Social Engineering
 Certain actions simply should not be taken without strong
authentication.
“three-way handshake”
 This is not foolproof: Even a privileged user’s account can
penetrated.
Classes of 3. Bugs and Back Doors
Attacks  Stack-smashing (buffer overrun)
4. Authentication Failures
 Source-address validation
 Hackers can use rpcbind to retransmit certain requests.
 Sometimes authentication fails because the protocol does not
carry the right information – identification of sending user
 Authentication Races
 5. Protocol Failures

6. Information Leakage
 Computer Spying
Classes of
Attacks
7. Exponential Attacks – Viruses and Worms
 Exponential attacks use programs to spread themselves,
multiplying their numbers quickly.
 When the programs travel by themselves, they are worms.
 When they attach to other programs, they are viruses.
 8. Denial-of-Service Attacks
 They are the simple overuse of a service – straining software,
hardware, or network links beyond their intended capacity.
 Shutting down a service should ne easy to detect. (the source
of the attack may not be)
Classes of  There is no absolute remedy for a denial-of-service attack. As
Attacks long as there is a public service, the public can abuse it.
Attacks on a Network Link
 Network link attacks can range from a simple flood of email
(mail bombing or spamming) to the transmission of packets
carefully crafted to crash software on a target host.
 The basic attack is to flood a network link. Attackers need
only generate more packets than recepient can handle.
 8. Denial-of-Service Attacks
Attacking the Network Layer
 Many of the worst attacks are made on the network layer –
the TCP/IP implementation in the host. TCP/IP ten of
thousands of lines of C code, and runs in host computers, it is
Classes of hard for a developer to debug all possible problems.
Attacks  Killer and ICMP Packets – to disrupt its communication –
Destination Unreachable
 SYN Packet Attacks – half open TCP SYN Packet
 Application Level Attacks – Spam
 FTP to send a few gigabytes
 Email
 8. Denial-of-Service Attacks
DDoS
 Distributed Denial-of-Service (DDoS) attacks use many hosts
on the Internet.
 It is more difficult to recover from because the attacks come
from all over.
Classes of
Attacks
 8. Denial-of-Service Attacks
DDoS
 The message from master to slave usually has a spoofed
source address, and can even use cryptography to make the
messages harder to identify.
Classes of What to Do About a Denial-of-Service Attack

Attacks 1. Find a way to filter out the bad packets

2. Improve the processing of the incoming data somehow,
3. Hunt down and shut down the attacking sites, and
4. Add hardware and network capacity to handle your normal
load plus the attack.
 9. Botnets
 Many hackers have constructed botnets: groups of bots –
Classes of robots, zombies, and so on.
Attacks 10. Active Attacks