System and Network Security Overview
�What is network security about ?
It is about secure communication Why may the communication be insecure?
Everything is connected by the Internet We will often use Alice and Bob Alice is on a vacation and wants to send a command to her assistant—Bob—or just a computer to control the nuclear power plant, how can she do that?
2
�What is it about ?
There are eavesdroppers that can listen on the communication channels Information needs to be forwarded through packet switches, and these switches can be reprogrammed to listen to or modify data in transit Is it hopeless for Alice?
3
�Other examples
Alice sends Bob some sensitive information via Internet Network manager remotely changes some Access Control Lists (intercepts, impersonation) On-line stock trading, customer denies that she has sent the order
4
�Cryptography
Cryptography allows us to disguise data so that eavesdroppers gain no information from listening
Cryptography also allows us to create unforgettable message and detect if it has been modified in transit
5
�Network/System Security Overview
Cryptography
Secret key cryptography Modes of operation Hashes and message digest Public key cryptography Some number theory, AES and elliptic curve cryptography How can Alice prove that she is Alice on networks? Kerberos, PKI, IPSec, SSL The underlying philosophy for these standards, that is, intuition behind various choices, design decisions, and flaws in these standards
Authentication
Standards
Email security Firewalls and secure systems
6
�Two kinds of security
Computer security Network security
7
�Vulnerabilities of comp sys
attacks on hardware attacks on software
deletion, modification (Trojan horse, trapdoor/backdoor, covert channel), infection through computer virus, theft, copying compromising secrecy & integrity storage media, time, key people
8
attacks on data
attacks on other resources
�Computer security
The goal is to protect data and resources How to design security mechanisms?
Cost/benefits Threat model Trust model Available tools Where to use security tool Security is not only about cryptography Identify the weakest point
9
�Failures of security mechanisms
Failure to understand the threat model Failure to understand what a mechanism protects against and what it does not Bad design Implementation fault Misconfiguration Bad interaction with other parts Bad user interface
10
�Network security
Security of data in transit Security of data at rest
11
�Importance of network security
Increasing large deployment of networked computers Sensitive information/resources are coming online
Personal information Financial services Military Infrastructure
Large number of users, large amounts of money
12
�Reactions to Information Security
Active research in security & privacy (numerous conferences each year) New laws Education Collaborations between governments, industries & academia Employment of computer security specialists
13
�Common network terms
IP, UDP, TCP Directory services Packet switching
Alice
Trudy R4
R2 R5 R3
Bob
R1
R6 Token ring
14
�Differences from systems security
Attacks come from anywhere, at any time Highly automated attacks Physical security measures are inadequate Wide variety of applications, services, protocols involved No single authority/administrator
15
�Methods of defence (1)
modern cryptography
encryption, authentication code, digital signature etc
software controls
standard development tools (design, code, test, maintain, etc) operating system controls internal program controls (eg. database) fire-walls
16
�Methods of defence (2)
hardware controls
security devices smart cards, ... SecureID locks, guards, backup of data & software, thick walls, ...
physical controls
security policies & procedures user education law
17
�Introduction to Network Security
�Intro Network Security
To assess the security needs of an organization effectively and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. One approach is to consider 3 aspects of information security:
Security attack: any action that compromises the security of informationowned by an organization Security method: a mechanism that is designed to detect, prevent, orrecover from a security attack Security service: a service that enhances the security of the dataprocessing systems and the information transfers of an organization
The services are intended to counter security attacks, and they make use of one or more security methods to provide the service 19
�Classification of Security Services
Confidentiality – Ensures that the information in a computer system and transmitted information are accessible only for reading by authorized parties Authentication – Ensures that the origin of a message or electronic document is correctly identified, with an assurance that the identity is not false Integrity – Ensures that only authorized parties are able to modify computer systems assets and transmitted information. Nonrepudiation– Requires that neither the sender nor the receiver of a message be able to deny the transmission (nonrepudiation with proof of origin/delivery) Access control (Authorization) – Requires that access to information resources may be controlled by or for the target system Availability – Requires that computer system assets be available to authorized parties when needed 20
�Threats
1.
Passive attacks
2.
Illegal interception (secrecy) Traffic analysis
1. 2. 3. 4. 5. 6.
Active attacks
Denial of Service / Interruption (availability) Un-authorised modification (integrity) Fabrication (authenticity) Replay Man-in-the-middle attacks Modification of messages
21
�Illegal Interception
also called ―un-authorised access‖ difficult to detect
it leaves no traces
example: US military Tempest program measures how far away an intruder must be before eavesdropping is impossible.
The movement of electron can be measured from a surprising distance (control zone)
22
�Traffic analysis
Military applications (spy identification) Zeroknowledge Inc. http://www.zeroknowledge.com/ (anonymous web browsing and private, encrypted, untraceable email for customers stopped services) AT&T Crowds project (system for protecting your anonymity while you browse the web) Anonymizer http://www.anonymizer.com/ Untraceable E-mails: Mix by David Chaum
23
�Denial of Service
also called ―Interruption‖—recent example: DDoS, tool used in that DDoS trinoo http://staff.washington.edu/dittrich/misc/trino o.analysis information resources (hardware, software and data) are deliberately made unavailable, lost or unusable, usually through malicious destruction
24
�Un-authorized Modification
un-authorised access & tampering with a resource (data, programs, hardware devices, copy of hand-written signature, etc.)
Ex. some portion of a legitimate message is altered, or that message is delayed or altered to produce an unauthorized effect
25
�Fabrication and Impersonation
fabricate counterfeit objects (data, programs, devices, etc)
related examples:
counterfeit bank notes fake cheques
impersonation/masquerading
to gain access to data, services etc It takes place when one entity pretends to be a different entity. Example: by capturing authentication sequences and replaying them
26
�Replay attacks
Passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect. The attacker records a valid transaction and plays it back again later. Most often when a same shared key is used between two peers Defending against replay attacks is possible but painful as it requires maintenance of state
27
�Man-in-the-middle attack
Is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims. MITM attacks on SSL: Alice attackerreal site
Mafia in the Middle attack Alice coffee Jewelry
28
�Modification of message
Some portion of a legitimate message is altered, or that message is delayed or altered to produce an unauthorized effect
29
�How to defeat these attacks?
illegal interception
traffic analysis
un-authorised modification
secrecy mix integrity authentication authorization
impersonation
re-play
man-in-themiddle denial of service
other mechanisms
30
�Key escrow for law enforcement
Law enforcement would like to preserve its ability to wiretap otherwise secure communication Government wants to wiretap all the time, so it must prevent use of encryption, break the codes used for encryption, or somehow learn everyone’s cryptographic key Clipper proposal attempted the 3rd option (encryption is done with Clipper chip—unique key) At present, government is giving up the control of cryptography
31
�Key escrow for careless users
It is prudent to keep your key in a safe place Where? Do you trust the unique key bank? Split your keys and deposit in several independent places
32
�Digital Pest: Virus, Worms, Trojan Horses
No need to distinguish them.. But.. Trojan horses: instructions hidden in a useful code Virus: when executed, insert a copy in other codes Worm: self-replicating code Trap (back)-door: undocumented entry point Logic bomb: malicious instruction which triggers on some event, such as a particular time occuring Zombie: malicious code installed on a system that can be remotely triggered to do bad things
33
�More on Digital Pest
Is it possible to detect a digital pest in a program?– One of the famous results in computer science is that it is impossible to be able to tell what an arbitrary program will do by looking at it!– In fact it is impossible in general to discern any nontrivial property of a program by looking at it (e.g. if the program will halt) Anyway, nobody looks– Open source can help: maybe someone else will look! A virus can be installed in any program as follows:– Replace any instruction, say the instruction at location x, by a jump to some free space in memory, say location y; then– Write the virus program starting at location y; then– Place the instruction that was originally at location x at the end of the virus program, followed by a jump to x+1 Replication– Besides the delayed planned damage, the virus replicates itself silently.– If it did not wait before damaging the infected system, it would not spread as far!
34
�Where do they come from ?
Commercial package: malicious employee? Infected before shipping?... emails Floppy disk boot CDROM start-up execution Spreading from machine to machine (scripts…guessing passwords automatically...)
35
�Virus Checker
Check the instruction sequences for lots of types of viruses (virus patterns) Smart virus changes its form each time (polymorphic virus), more work for virus checker to detect but still possible Using snapshots of the files (not useful for some kinds of code)
36
�Best practices
No perfect virus checker Some precautions:
Do not run software from unknown sources Frequently run virus checkers Run code in the most restricted environments When system tells you something is dangerous, do not try it Do frequent backups Do not boot off floppies, do not insert suspicious CDs into CDROM
37
�Best Practices: How to protect a machine
1.
2. 3.
Three key items would increase the security of a system and protect it from attacks: Install critical security updates / patches for the Operating System and services / programs running on the machine as soon as they become available (with Microsoft platform, sign up for Automatic Windows Updates). Those will patch backdoors, and design flows/security vulnerabilities which can be exploit. Install an Antivirus Software, and ensure it updates itself properly / constantly with latest virus definitions Install a firewall: as most attacks will come from the network, closing unused ports would substantially decreases chances of successful attack. 38
�Authentication and authorization
In a network application, the first question is ―who you are?‖ then ―what you are allowed to do?‖ Authentication proves who you are and authorization defines what you can do
Access Control Lists (ACL)—database listing who can access a certain objects Capability Model—database listing what each user can do
39
�Access Control Lists
S\O Sam Alice Bob Operating system rwx x rx Accounts program rwx x r Accounti Audit trail ng data rw rw r r r
40
�Covert channels
A covert channel is a method for a Trojan horse to circumvent the automatic confinement of information within a security perimeter (Assume the Trojan horse program has not enough privileges to directly send confidential data outside the system) Example: OS enforce the multilevel security. A bad guy tricked a ―TOP SECRET‖ guy to run a Trojan horse.
41
�Covert channels (cont.)
The timing channel – The Trojan horse program alternately loops and waits, in cycles of, say one minute per bit (of the confidential data). When the bit is 1: the program loops for one minute. When the bit is 0: the program waits for a minute. Another program running on the same computer (but without access to the sensitive data) constantly tests the loading of the Trojan horse. The storage channel – The Trojan horse program loads a (printer) queue to represent a 1, and delete its jobs to represent a 0. Easy to check the queue status and get the information. The error channel – The Trojan horse program creates a file to represent a 1, and delete it to represent a 0. The external process tries to read the file: since different error messages are reported when the file exists (but its access is not permitted) or when the file does not exist, which are used to distinguish between the 0's and 1's.
42
�