Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

II

VIEWS: 16 PAGES: 89

									     The Pseudo-Internal Intruder: A New
      Access Oriented Intruder Category

                                      A Thesis Presented to

               The Faculty of the School of Engineering and Applied Science

                                      University of Virginia




                                       In Partial Fulfillment

                                of the Requirements for the Degree

                               Master of Science (Computer Science)




                                                By

                                      Brownell Kerr Combs

                                            May 1999




The Pseudo-Internal Intruder
                                                                               ii



Approval Sheet



                      This thesis is submitted in partial fulfillment of the
                                requirements for the degree of
                            Master of Science (Computer Science)



                          ______________________________________________________
                          Author‟s Name


This thesis has been read and approved by the Examining Committee:



                          ______________________________________________________
                          Thesis Advisor



                          ______________________________________________________
                          Committee Chairman



                          ______________________________________________________


Accepted for the School of Engineering and Applied Science:



                          ______________________________________________________
                          Dean, School of Engineering and Applied Science



                          May, 1999




The Pseudo-Internal Intruder
                                                                                           iii



Abstract
        Intruders attack both commercial and federal distributed systems frequently, and
often successfully. The problem of intruders has become critical. The most effective
defense today is the use of intrusion detection systems, because it is widely considered to
be impossible to build complicated distributed systems that completely prevent
unauthorized intrusions. Since 1980 the intrusion detection community has divided
intruders into two categories based on the intruder‟s access to a system. Internal
intruders have legitimate access through user accounts; external intruders break into a
system without benefit of a user account.
        The proliferation of distributed systems with complex networks has necessitated a
reexamination of intruder definitions. When the notion of internal and external intruders
was defined, systems were largely stand-alone computers – typically contained in a single
area sometimes with remote peripherals. Today computers are part of networked,
distributed systems that may span multiple buildings sometimes located thousands of
miles apart. The network of such a system is a pathway for communication between the
computers in the distributed system. The network is also a pathway for intrusion.
        We define a new category, the pseudo-internal intruder. This new category
encompasses intruders without user accounts who circumvent the perimeter defenses of a
modern distributed system and attack the system via its network. In contrast, external
intruders attack a system from the outside through a system‟s perimeter defenses. Having
a pseudo-internal category is useful because it gives the intrusion detection community a
framework in which to clearly describe the capabilities of the pseudo-internal intruder,
defend against the pseudo-internal intruder, and develop techniques for detecting the
pseudo-internal intruder.




The Pseudo-Internal Intruder
                                                                                           iv



Acknowledgments
        I would like to thank my advisor, Dr. Anita Jones, not only for her guidance and
support during the thesis process, but her help and advice with my career.
        I would also like to thank Bob Sielken for thought provoking discussions on the
topic of intruders, Andy Lowe for help with the case study network and technical
proofreading, Chris Milner for advice on numerous tasks around the department, and
Peggy Reed for always being willing to lend a hand. I also appreciate the flexibility of
my employers at SAIC, Robert Schlansker, Dave Carothers, and William Baugh, in
allowing me to split time between work and school.
        Thanks and love to Melissa Meehan and Craig Hille for their support and making
my time in Charlottesville much more enjoyable.
        Lastly, I send my love and appreciation to my mother, father, and stepfather for
all of their support and unconditional love since I departed for boarding school some 9
years ago. I could never have achieved this without you.




The Pseudo-Internal Intruder
                                                                                                                                                              v



Table of Contents

APPROVAL SHEET ...................................................................................................................................II

ABSTRACT ................................................................................................................................................ III

ACKNOWLEDGMENTS.......................................................................................................................... IV

TABLE OF CONTENTS ............................................................................................................................. V

FIGURES .................................................................................................................................................... VI

TABLES ..................................................................................................................................................... VII

CHAPTER 1: THE PSEUDO-INTERNAL INTRUDER ..........................................................................1
   1.1        INTRODUCTION.................................................................................................................................1
   1.2        LITERATURE SURVEY .......................................................................................................................2
   1.3        APPROACHES TO CATEGORIZING INTRUDERS ...................................................................................6
   1.4        DEFINITIONS .................................................................................................................................. 10
   1.5        A NEW ACCESS ORIENTED INTRUDER CATEGORY ......................................................................... 18
   1.6        THE PSEUDO-INTERNAL INTRUDER: A DISTINCT CATEGORY? ....................................................... 21
CHAPTER 2: CAPABILITIES OF THE PSEUDO-INTERNAL INTRUDER .................................... 24
   2.1        TOOLS AND TECHNIQUES USED BY THE PSEUDO-INTERNAL INTRUDER ......................................... 24
   2.2        DANGERS OF THE PSEUDO-INTERNAL INTRUDER ........................................................................... 31
CHAPTER 3: SECURITY RECOMMENDATIONS .............................................................................. 39
   3.1        DEFENDING SYSTEMS AGAINST THE PSEUDO-INTERNAL INTRUDER .............................................. 39
   3.2        DEFENDING THE DISTRIBUTED SYSTEM: PREVENTING INTRUDER ACCESS .................................... 43
   3.3        DEFENDING THE DISTRIBUTED SYSTEM: MITIGATING INTRUDER ACCESS ..................................... 46
   3.4        DEFENDING THE DISTRIBUTED SYSTEM: DETECTING INTRUDER ACCESS ...................................... 49
CHAPTER 4: CASE STUDY ..................................................................................................................... 52
   4.1        INTRODUCTION............................................................................................................................... 52
   4.2        THE TARGET SYSTEM..................................................................................................................... 53
   4.3        THE PSEUDO-INTERNAL INTRUDER ATTACKS ................................................................................ 57
   4.4        EXPECTED RESULTS ....................................................................................................................... 59
   4.5        RESULTS OF ATTACKS ON TARGET SYSTEM – PHASE 1 .................................................................. 60
   4.6        SECURITY CHANGES MADE TO TESTBED SYSTEM FOR PHASE 2 ..................................................... 65
   4.7        RESULTS OF ATTACKS ON TARGET SYSTEM – PHASE 2 .................................................................. 68
   4.8        SUMMARY ...................................................................................................................................... 72
CHAPTER 5: CONCLUSIONS AND FUTURE WORK ........................................................................ 75
   5.1        CONCLUSIONS ................................................................................................................................ 75
   5.3        FUTURE WORK ............................................................................................................................... 76
REFERENCES ............................................................................................................................................ 77




The Pseudo-Internal Intruder
                                                                                                                                 vi



           Figures

FIGURE 1-1: PHYSICAL CONFIGURATION OF EXAMPLE NETWORK ..................................... 12

FIGURE 1-2: NETWORK CONFIGURATION OF SAME NETWORK FROM FIGURE 1-1 ......... 17

FIGURE 1-3: BOX DIAGRAM OF INTRUDER CATEGORIES ......................................................... 19

FIGURE 2-1: IPV4 PACKET HEADER .................................................................................................. 25

FIGURE 4-1: NETWORK CONFIGURATION OF PHASE 1 TESTBED SYSTEM.......................... 55

FIGURE 4-2: NETWORK CONFIGURATION OF PHASE 2 TESTBED SYSTEM.......................... 67




The Pseudo-Internal Intruder
                                                                                                           vii



Tables
TABLE 4-1: NODES IN TESTBED DISTRIBUTED SYSTEM............................................................. 53




The Pseudo-Internal Intruder
Chapter 1: The Pseudo-Internal Intruder

1.1     Introduction

        Each day intruders attack numerous distributed systems. A 1996 report estimated

that Department of Defense systems alone are attacked on average over 680 times per day

[GAO96]. The report further estimated that as many as 65 percent of those attacks were

successful in gaining access to sensitive information. More than 99 percent of all

respondents reported at least one security incident in one recent survey [Pow99], while 78

percent of organizations responding to a 1996 survey reported financial loss from security

breaches [DV97]. The Computer Emergency Response Team (CERT) annual reports

show a 67 percent increase in security incidents handled annually by CERT from 1994 to

1998 [CER94, CER98].

        The problem of successful intrusions is not expected to end any time soon. Most

experts believe that it is not practically possible to build a complex distributed system

that is completely secure. Even if some new development allowed such a system to be

created, the vast installed base of vulnerable systems would guarantee a lengthy transition

period during which intrusions would still occur [Sun96]. For these reasons security

experts advocate the use of intrusion detection systems.

        Developers of intrusion detection systems, and those responsible for network

security of distributed systems, face the difficult task of defending against an ever

changing set of potential intrusions. Each day new attack tools and techniques are

developed and it is increasingly difficult for system administrators and intrusion detection

system developers to stay ahead of malicious computer users (witness the recent success



The Pseudo-Internal Intruder
                                                                                             2


of the Melissa e-mail virus [CNN99]). Any framework that helps such administrators

and developers to understand and classify potential intruders is useful in the struggle to

protect distributed systems.

        Chapter 1 of the thesis introduces the topic of intruder categories, describes the

evolution of intruder categories, and defines important terms and explains aspects of

network security that are required to discuss the pseudo-internal intruder. Chapter 1

concludes with a definition and explanation of the pseudo-internal intruder as a new and

distinct access oriented intruder category. Chapter 2 lists the tools and techniques

available to pseudo-internal intruders and the threat represented by such intruders. Two

example intrusion scenarios illustrate the threat of the pseudo-internal intruder. Chapter

3 describes an overall strategy that can be used to defend distributed systems against

pseudo-internal intruders. Chapter 4 contains the results of a case study illustrating the

effectiveness of the defensive strategy outlined in chapter 3. Chapter 5 contains the

conclusions of the thesis and speculates on interesting future work.



1.2     Literature Survey

        In 1980 J.P. Anderson introduced the concept of intrusion detection [And80].

Anderson proposed a “security surveillance system” involving formal examination of a

system‟s audit logs. In examining the system threats, Anderson also introduced the

notion of categorizing intruders based upon their access to a system. He noted that in

“considering the threat problem, the principle breakdown of threats is on the basis of

whether or not an attacker is normally authorized to use the computer system.” Internal

intruders were defined as those with permissions to access the system and external



The Pseudo-Internal Intruder
                                                                                            3


intruders were those without any permissions. Therefore the external intruder category

included not only outsiders from other organizations, but anyone with physical proximity

to the computer system, but without user access to the computer system.

        It is important to note that when Anderson wrote his report there were very few

distributed systems. In fact, the report that introduced the concepts of intrusion detection

and access oriented intruder categories was an actual study of a customer‟s single

computer system, “the purpose of which was to improve… computer security…”

Therefore, it is easy to see why Anderson chose not to differentiate between outsiders and

those with physical access, but without authorized user access to the computer system.

Whether through tapping wire communication (outsider) or physical access to a terminal

(employee without permissions) the best that either could achieve was a login prompt.

Both groups of intruders had to deal with the same technical barrier: the system‟s access

control security measures.

        By the mid 1980s the landscape was, however, changing. Distributed systems

were becoming predominant over single computer systems. That change started a debate

in the network security field as to what changes should be made to existing security

principles to adapt them to distributed systems. In 1985 Anderson claimed that “network

security issues can be handled with the same concepts that apply to single computer

systems” [And85].

        Anderson‟s opinion appeared to be in the minority. Nessett argued that “a strong

case [could] be made that distributed systems admit important security issues that either

are not applicable to stand-alone systems or are assumed to be rarely relevant… [Such]

issues add extra dimensions to the distributed system security problem and invalidate



The Pseudo-Internal Intruder
                                                                                            4


attempts to simply extend existing concepts into the area of distributed system security”

[Nes87]. Others pointed out that any protection mechanism residing in a single computer

becomes insufficient when a computer is connected to a network because those

mechanisms cannot protect the security of communication across the network [LS90].

Such distributed systems require a security enforcement mechanism for the network in

addition to any mechanisms residing on single machines [LS90].

        There was, however, no dispute that both stand alone and distributed systems

needed real time intrusion detection. In her paper introducing a new intrusion detection

model, Denning argued that “developing systems that are absolutely secure is extremely

difficult, if not generally impossible. [Additionally], even the most secure systems are

vulnerable to abuse by insiders who misuse their privileges” [Den87]. Denning‟s model

of intrusion detection was an adaptation of Anderson‟s original idea of utilizing audit

logs for intrusion detection. Since “exploitation of a system‟s vulnerabilities involves

abnormal use of the system,” intrusions can be detected by monitoring audit logs and

other indicators for abnormal patterns of system usage [Den87].

        Denning‟s model of intrusion detection is considered to be the beginning of the

second generation of intrusion detection which was more statistically sophisticated,

addressed distributed systems, and provided some real time alerts [JS99]. This second

generation of intrusion detection systems is divided into two approaches: anomaly

detection and misuse detection. Intrusion detection systems based on anomaly detection

characterize the correct behavior of a system and then detect wrongful changes to that

correct behavior. Misuse detection systems characterize known ways to penetrate a

system and then monitor for those misuse characterizations to appear. This progression



The Pseudo-Internal Intruder
                                                                                              5


of intrusion detection can be more closely followed in a number of recent surveys of

intrusion detection techniques and products [CH96, Lun93, Sun96, JS99].

        A majority of intrusion detection experts currently believe that the best intrusion

detection system will contain both anomaly detection and misuse detection mechanisms.

One such intrusion detection system that includes both anomaly detection and misuse

detection mechanisms is the Next-generation Intrusion Detection Expert System (NIDES)

[AFV95]. NIDES contains a statistically dynamic anomaly detector to catch internal

intruders masquerading as legitimate users. A profile consisting of more than 30

different criteria (such as CPU usage and typical amounts of input and output) is

maintained for each user. User actions are matched against that individual‟s profile and

“when the observed activity departs from established patterns of use for an individual”

alarms are raised by the intrusion detection system [SRI97]. The mechanism is

statistically dynamic (as opposed to static) since NIDES adapts each user‟s profile over

time. If a user‟s habits change slowly over time, the profile will be adapted to the new

behavior without raising alarms. Profiles can also be created for workstations, remote

hosts, groups of users, or particular application programs [JS99].

        NIDES also contains an expert system misuse detection to “detect attempts to

exploit known security vulnerabilities of the monitored systems and intruders who exhibit

specific patterns of behavior that are known to be suspicious or in violation of site

security policy” [SRI97]. NIDES observes the system and compares its observations to a

rule database of known intrusion scenarios and attack patterns. The security experts that

created NIDES initially constructed the rule database, but the system administrator of the

system NIDES is protecting can customize the database.



The Pseudo-Internal Intruder
                                                                                              6


        Even though it is accepted that distributed systems require different security

mechanisms than stand-alone systems, the intruder categories defined for stand-alone

systems are still in use. Many modern intrusion detection system research papers still

describe the threat of intruders as non-authorized (external) and authorized (internal)

users [IKP95]. Recall that in Anderson‟s seminal paper he only evaluated the threat of an

intruder with respect to whether the intruder had authorized user access to the computer.

As discussed, this made perfect sense when considering a stand alone computer. But

with the proliferation of the distributed system, this way of categorizing intruders should

be reexamined for distributed systems in a manner similar to the reexamination of

security concepts.



1.3     Approaches to Categorizing Intruders

        There are two main approaches to classifying intruders. The first is to simply

separate intruders into categories based on their access to a system. An example of this

approach is the previously discussed traditional pair of categories: external and internal

intruders [And80]. The external intruder is an outsider who has no authorized access to

the system and must gain access by compromising the system‟s security. The internal

intruder is one who already has limited access to the system through an authorized user

account. An internal intruder can either be a legitimate user or an outsider who is

successfully masquerading as a legitimate user.

        The second approach categorizes intruders not by access to a system, but by the

method of attack used by the intruder. One example of such an approach divides all

attacks into three modes: outside, within, and below [Neu98]. Attacks from the outside



The Pseudo-Internal Intruder
                                                                                               7


come from above or laterally at the same abstraction level. These types of attacks can be

unprivileged intrusions where a security flaw was exploited to allow access with no

authorization required. Attacks from within are obtained with the privileges of the given

level. That is, the attack originates from a privileged user or an outsider successfully

masquerading as a privileged user (through password cracking, etc). Attacks from below

are at a lower layer of abstraction. These attacks are either hardware or operating system

based and can require some unusual physical access to the system. One example of this

type of attack would be connecting a hardware sniffer to the network to gather

information.

        Both approaches have their disadvantages with respect to their use in describing

intruders. The traditional access oriented approach of splitting all intruders into external

and internal categories is too simplistic since it was originally designed for solitary

machines where everyone either did (internal) or did not (external) have a user account

on that machine. When one replaces the solitary machine with a distributed system, the

issue of defining an intruder‟s access becomes much more complicated. Distributed

systems can have multiple levels of users on multiple machines, complex trust

relationships between machines, the network infrastructure connecting the machines, and

quite often connections to other uncontrolled networks (even including the Internet).

Compare the complexity illustrated above to a solitary machine with a single operating

system where each individual is either a user or a non-user without an account, and the

increased vulnerabilities become obvious.

        The nature of the more complicated distributed system introduces many new

vulnerabilities and ways in which an intruder might access the system. It is often stated



The Pseudo-Internal Intruder
                                                                                             8


by experts that system security for distributed systems is fundamentally more complex

than it is for stand-alone systems [Nes87]. Therefore extending security concepts

developed for stand-alone systems to distributed systems is often not practical [Nes87].

Yet many continue to use only the traditional internal and external access oriented

categories, even though it is clear that the transition to networked systems has increased

the kinds of access to a distributed system as well as the possible range and complexity of

attacks that intruders might attempt. When considering access to a distributed system,

defining an intruder as either external or internal has become an ambiguous definition.

Since neither has a user account, a janitor damaging network equipment or an Internet

hacker attempting to break through a firewall are each considered external intruders. The

problem is that in a distributed system the external and internal categories include so

many kinds of access to the system that referring to an intruder as either of the categories

is no longer distinctive enough.

        Attack oriented categorization can also present an ambiguity problem, but one of

a different type. The problem is that a single intruder can often attempt attacks from

more than one category (outside, within, and below). An example of such ambiguity

would be an authorized user on a UNIX machine (internal intruder) running a software

sniffer (attack from below), exploiting a FTP bug (attack from within), or using that

machine‟s privileges to gain access to other machines (security/logic flaw, attack from

outside). If the system administrator only knows that just one of these attacks occurred it

may be difficult to determine the source of the attack. Depending on a machine‟s

configuration, it is sometimes possible that both authorized users of the machine and non-

users connected to the machine can exploit certain FTP bugs to gain root access. If no



The Pseudo-Internal Intruder
                                                                                             9


effort is made to identify the type of access, but only the type of attack, the system

administrator of the above machine will not know whether the machine was hacked from

the outside or if the intruder is internal, i.e. an authorized user. So while the attack

oriented approach may be useful for some purposes, it is not the best choice to

unambiguously define intruders.

        The most effective approach to categorizing intruders is to modify the existing

access oriented approach to account for the complications of distributed systems and all

that has been learned through examinations of attack methods such as the attack oriented

categorization approach. In order to discuss intruders in unambiguous terms this

modification of the traditional access oriented categorization must seek to create more

numerous, but distinct, access oriented categories. The access oriented approach will

become less ambiguous as categories are added, while the addition of categories to the

attack oriented approach will not change the fact that a given intruder can launch attacks

from more than one category. To this end we define and analyze a new distinct category

of intruder. The pseudo-internal intruder is the intruder who has the system access to

launch many of the attacks that did not exist prior to distributed systems and which are

difficult for external or internal intruders to utilize. The end result of defining the

pseudo-internal intruder will be a framework in which the scientific intrusion detection

community can clearly describe the capabilities of the pseudo-internal intruder, develop

techniques for detecting the pseudo-internal intruder, and consider defenses against the

pseudo-internal intruder.




The Pseudo-Internal Intruder
                                                                                                10


1.4     Definitions

        Without clear definitions it would be impossible to adequately convey the

different types of access to and within a system. Since this thesis defines intruders based

on their access, it is important to have these precise definitions for most aspects of a

typical distributed system environment.

        A distributed system is an interconnection of two or more computers over a

network. Modern distributed systems often contain many more than two computers as

well as other hardware devices that facilitate digital communication, network

maintenance, and security. The network is the backbone used by elements of a

distributed system to communicate. Since most distributed systems interface with other

distributed systems or the Internet, a particular distributed system‟s network will

sometimes be referred to as an internal network to distinguish it from other networks.

        It is important to note that our definition of a distributed system is different than

the classic definition of a distributed system. For the purpose of this thesis, we are

including systems that some would consider networked systems into our definition of a

distributed system. We are also assuming that any distributed system is reasonably setup

with respect to functionality and security. There is little point in discussing distributed

systems with no network traffic at all (no functionality) or no defenses to protect it from

intruders (no security measures).

        Each distributed system has an owner that is the single administrational and

operational authority. The owner has the ultimate responsibility of maintaining the

distributed system. Owners of large distributed systems often designate operational

authority over all or parts of the system to system administrators who adhere to both a



The Pseudo-Internal Intruder
                                                                                            11


functionality policy and a security policy. The owner of the system creates both policies.

A functionality policy dictates what purpose a distributed system is supposed to serve. A

security policy states what security measures are to be used in a distributed system.

When combined, these two policies control the balance between functionality and

security (i.e. additional security is usually at the cost of functionality).

        Each network contains network devices that facilitate communication between

machines by managing and directing the flow of packets of information bound from one

machine to another. For our purposes we will divide network devices into two types:

routers and hubs. Routers are network devices that selectively forward packets based

upon the intended destination of the packet. For example, if a router has three choices of

directions to forward a packet, it will only forward the packet in directions of intended

recipients (instead of all three directions). Hubs are network devices that forward packets

without selectivity. A hub forwards each packet to every device connected to the hub.

        Every distributed system has a physical configuration that includes all of the

hardware used in the distributed system as well as the location of each hardware item.

This not only includes computers, but peripherals like printers and scanners, network

devices such as routers and hubs, as well as all networking cable. In short, anything that

is connected to the internal network of a distributed system, including the hardware that

constitutes the interconnections, is part of its physical configuration. The physical

configuration can be geographically represented on a three dimensional map based upon

the physical location of all the hardware.

        The physical perimeter of a distributed system is a three dimensional geographic

boundary such that no hardware item of the physical configuration is outside the



The Pseudo-Internal Intruder
                                                                                        12


boundary. With the exception of hardware items used to create a connection with a

system outside the physical perimeter, all of the physical elements of the entire

distributed system are inside the physical perimeter. Such hardware items used to make

connections with other systems can reside on the physical perimeter, but never outside it.

Physical perimeter defenses protect the hardware items of the physical configuration

from unauthorized access. These defenses are designed to prevent unauthorized persons

from ever crossing the physical perimeter. Examples of physical perimeter defenses

include guards, fences, locked doors, and even lead shielding around cables.




                   Figure 1-1: Physical Configuration of Example Network

        Figure 1-1 shows the physical configuration of an example distributed system that

is connected to the Internet and one other external distributed system. All of this

distributed system‟s hardware is surrounded by the physical perimeter. The internal

network consists of several network devices (a router and two hubs), four machines, and

The Pseudo-Internal Intruder
                                                                                           13


a printer. One of the machines is connected to a modem, but the modem is not yet

connected to a phone line.

        It is useful to define distributed systems to have a network configuration that is a

representation of how all elements of the physical configuration are connected and

interact with each other. When drawn graphically, it shows the digital pathways

connecting each piece of hardware (a node) in the physical configuration, but does not

show physical size, distance, or geographic location. Since the network configuration

also specifies the ways in which the elements of the configuration use the pathways to

communicate with each other, network protocol stacks and segmentations of a network

are aspects of the network configuration. A network protocol is a definition of how two

or more nodes on the network will communicate [Tan96]. A network protocol stack is a

collection of network protocols chosen by the system administrator to be used in a

particular distributed system [Tan96]. A segment of a network is a collection of elements

that only receive network traffic intended for one of the nodes in the segment.

        The network perimeter is the separation between a distributed system‟s internal

network and the outside world. The outside world to any given distributed system is

anything outside either its physical or network perimeter. Similar to the physical

perimeter, the network perimeter encompasses all nodes and digital pathways of the

internal network. The network perimeter does, however, not exist in physical space like

the physical perimeter. The network perimeter is merely a conceptual boundary

separating the internal network from all other networks (anything in the outside world).

The physical perimeter encompasses the actual physical location of each hardware

component in the physical configuration.



The Pseudo-Internal Intruder
                                                                                              14


        A network perimeter defense is anything at the outside connects that serves to

detect and prevent unauthorized access to the distributed system. An outside connect is a

point on the network perimeter that allows two-way communication between the

distributed system and the outside world. There are three different types of network

perimeter defenses: firewalls, audit tools, and authentication packages. Firewalls are

software packages or pieces of hardware that limit the network traffic passing through the

network perimeter into the internal network of a distributed system. The restrictions on

network traffic can range from letting nothing at all through to letting virtually all traffic

into the internal network. The restrictions are set based upon the requirements of a

distributed system‟s functionality and security policies. For example, if the owner of a

distributed system decides to host web pages than can be seen by users of the Internet

then at least certain traffic related to that web service must be let through the firewall.

Audit tools record all or part of the network traffic activity observed by the tool. The

amount and kinds of traffic recorded are dictated by the functionality and security

policies of the distributed system in question. An audit tool might be programmed to

record all communication originating from outside the network perimeter, but not

communications originating from inside the network perimeter. System administrators of

large distributed systems must often limit the information recorded by audit tools because

the sheer volume of all traffic would require large amounts of disk storage that are not

practical.

        Authentication packages control access to a distributed system‟s internal network

from outside the network perimeter through user accounts and passwords. Owners of a

distributed system can allow authorized users that are located outside of the network



The Pseudo-Internal Intruder
                                                                                             15


perimeter a higher level of access. Authenticating the identity of the person attempting to

connect to the internal network securely allows this higher level of access for particular

users. The process is very similar to logging into a network from inside the network

perimeter.

        There is also a unique case of an outside connect that needs to be defined. The

rogue outside connect is an outside connect which exists unbeknownst to the owner of

the distributed system that it connects to the outside world. Rogue outside connects are

elements of the network configuration, but are not in the owner‟s perception of the

current network configuration of a distributed system. This means that they cannot be

assumed to have any of the network perimeter defense mechanisms usually associated

with outside connects.

        The most likely way for a rogue outside connect to occur is when unauthorized

hardware becomes part of the physical configuration without the knowledge or

permission of the system administrators. One example would be if an employee brought

a modem to work and connected it to their desktop computer. If that desktop computer is

connected to the network then it is a part of the system‟s physical configuration and a

node of the network configuration. Attaching a new piece of hardware to the computer,

like the modem, is adding a new piece of hardware to the physical configuration.

Connecting a phone line to that hardware item (the modem) already connected to the

network creates an outside connect. The modem would allow someone from outside the

network perimeter of the system to dial into the modem and gain access to the network

through the computer the modem is attached to. Since system administrators are unaware




The Pseudo-Internal Intruder
                                                                                        16


of this outside connect, the desktop computer does not have the appropriate network

perimeter defenses.

        Another example of a potential rogue outside connect can be created by an

unauthorized or misconfigured remote network management device. An administrator

must manage network devices like hubs and routers by reconfiguring them as changes are

made to a system‟s network configuration. This management of network devices is

normally done from a remote location like a central network operations center. Remote

network management devices allow communication between a network device and a

remote system administrator. The most common example of a remote network

management device is a modem connected to a particular network device like a router.

Since communication between the management device and the remote manager is not

done through the normal pathways of digital communication in the distributed system,

remote network management devices require an entirely different set of security features

as opposed to normal network perimeter defenses. If a remote network management

device has been installed without the knowledge of the system administrators, then these

special network perimeter defenses have not been set up. Therefore, the remote network

management device would be a rogue outside connect.




The Pseudo-Internal Intruder
                                                                                           17




           Figure 1-2: Network Configuration of Same Network from Figure 1-1

    Figure 1-2 shows a network configuration of the same sample distributed system

from figure 1-1. Notice how different the physical and network configurations can

appear since one is based on the physical location of hardware and the other is not. The

internal network is surrounded by a network perimeter separating the internal network

from the outside world. The Internet and the other distributed system are connected to

the internal network by an outside connect that is guarded by a firewall. Also notice that

the modem has now been connected to an outside telephone line. Assuming that the

system administrators do not know about the modem, that connection forms a rogue

outside connect.



The Pseudo-Internal Intruder
                                                                                           18


1.5     A New Access Oriented Intruder Category

        As has been discussed, the problem with having only two categories is that

intruders with varying degrees of access to a system are combined into the same

category. When the concept of internal and external intruders was defined in 1980

systems were largely stand-alone computers. Therefore, those concerned with intrusions

were mainly focused on the damage rogue users could do (internal intruders). Not only

was it difficult for an external intruder to gain access to a single guarded room, but there

was little such an intruder could do without a user account. In fact, there was such focus

over internal intruders that the internal intruder category was further broken up into three

subcategories (masquerading, clandestine, and legitimate) while the external category

was basically defined as „anything not internal‟ [And80].

        Today most systems are large distributed systems running over complex

networks. Such a change from stand-alone systems to networked, distributed systems

necessitates a reexamination of categorizing intruders. The scientific intrusion detection

community must consider the differences between a traditional external intruder attacking

a system from outside the network perimeter and one attacking the system from inside the

network perimeter. This thesis will examine these traditionally external intruders who

have access inside the network perimeter of a distributed system, but do not have any of

the privileges granted to authorized users. These intruders are called pseudo-internal

intruders.




The Pseudo-Internal Intruder
                                                                                         19




                        Figure 1-3: Box Diagram of Intruder Categories


        The pseudo-internal intruder is an intruder who has circumvented network

perimeter defenses and gained access to the network of a distributed system without

utilizing any user accounts. The primary difference between the pseudo-internal intruder

and the external intruder is that the pseudo-internal intruder has completely bypassed, not

broken through, any network perimeter defenses. Therefore system administrators

relying solely upon network perimeter defenses to notify them of intrusions will have no

knowledge of the existence of a pseudo-internal intruder.

        A pseudo-internal intruder must gain access to a distributed system‟s network

without using an outside connect since all outside connects are monitored by network

perimeter defenses (i.e. the intruder must get inside the network perimeter without

encountering network perimeter defenses). There are two ways to gain this unique type

of access: either by violating the physical perimeter to get physical access to the hardware

of the distributed system or by accessing the network configuration through a rogue

outside connect. Recall that because the existence of a rogue outside connect is not

known by a system‟s owners, it is not monitored by any of the network perimeter

defenses normally used to guard outside connects. Therefore, as far as system security is


The Pseudo-Internal Intruder
                                                                                           20


concerned, an intruder accessing the system through a rouge outside connect is, in effect,

inside the network perimeter. Using a rogue outside connect does not require the intruder

to violate the physical perimeter since the rogue outside connect could be the result of

system administrator misconfiguration or users of the system not following security

policy. In such cases the pseudo-internal intruder could gain knowledge and use of the

rogue outside connect without ever violating physical security to create that rogue outside

connect.

        Based on these two means of access pseudo-internal intruders can be divided into

two sub-groups: intruders with physical access to some part of a distributed system‟s

physical configuration, and intruders with access to a rogue outside connect. The first

sub-group is made up of both insiders and outsiders. Insiders are those who by virtue of

an association with the owner of a distributed system can personally cross the physical

perimeter. Insiders could have access to a wiring closet or perhaps just have a networked

computer on their desk. Examples of insiders are system administrators, users of the

system, support and cleaning staff, physical security personnel, or even contractors

working inside the physical perimeter. Outsiders are intruders who gain their access to

the distributed system‟s physical configuration by violating the physical perimeter

through either subterfuge or force. An example of subterfuge might be an outsider

illicitly crossing the physical perimeter by posing as a legitimate insider. Or the outsider

may choose to use force and break through the physical perimeter by simply breaking

into a building.

        The second sub-group, those that use rogue outside connects, can avoid having to

contend with any physical perimeter defenses. Note that a rogue outside connect would



The Pseudo-Internal Intruder
                                                                                              21


not include normal dialup or Internet access that passes through any authentication

system. Remember that the key aspect of rogue outside connects is that they do not pass

through any network perimeter defense mechanisms that might log identity (no user

logins) or prevent access. Although an intruder may be dialing in to an unauthorized

modem from a location outside the physical perimeter, the access gained is the equivalent

of being inside the network perimeter of the system.



1.6     The Pseudo-Internal Intruder: A Distinct Category?

        Any newly proposed access oriented intruder category must be examined to

determine if it is truly distinct from the traditional internal and external categories, or

merely a sub-group of an existing category. At first, it intuitively seems that a pseudo-

internal intruder might be a sub-group of the internal intruder category. Since such an

intruder is inside the network perimeter of the system is certainly seems that they are

more „internal‟ than „external‟. One must remember, however, that the fundamental

definition for an internal intruder has always been an intruder who has at least limited

user privileges in the system.

        Next, consider whether it makes more sense to define pseudo-internal intruders as

a sub-group of external intruders. Problems arise with this approach. The first is that the

access of pseudo-internal intruders allows them to launch attacks that are unavailable to

any intruder faced with network perimeter defenses such as an Internet hacker (the most

infamous type of external intruder). While other differences between pseudo-internal

intruders and those intruders outside of the network perimeter will be explained later in

the thesis, it is sufficient to note one such difference here to illustrate why the attacks are



The Pseudo-Internal Intruder
                                                                                             22


so dissimilar. It is very difficult to attack a state-of-the-art distributed system from

outside the perimeter and not be detected irregardless of the success of the attack. An

unsuccessful attack on a distributed system will leave evidence in the audit logs since

audit tools would record the network traffic involved in the attack. Since an unsuccessful

intruder never gains access, the intruder has no chance to influence the audit tool to

prevent it from reporting the attack. Even if an external intruder is successful in gaining

access to a distributed system it is likely that audit tools will record the successful attack.

Several recent audit tools are constructed to observe and record the contents of incoming

traffic without interacting with the rest of the internal network [ODS98]. Even an

intruder that is successful in breaking through network perimeter defenses may be

recorded by an audit tool that the intruder has no way of interacting with to delete any

evidence of an intrusion. Even older audit tools are designed so that it is difficult to

remove particular information from audit logs without deleting the entire log (i.e. absence

of any audit log will serve as evidence of an intrusion). This problem of being detected

regardless of whether the intruder gains control of a machine or not is not something that

affects the pseudo-internal intruder.

        Considering the differences in access to a distributed system, making pseudo-

internal intruders a sub-group of external intruders would make calling an intruder

„external‟ an ambiguous statement. For example, such a combination would make an

„external intruder‟ be both an Internet-based hacker and an employee passively

harvesting information from inside the perimeter. Not only does this make the phrase

„external intruder‟ potentially ambiguous, it doesn‟t make sense. As has been discussed

above, the access of the pseudo-internal intruder is not external to the system at all.



The Pseudo-Internal Intruder
                                                                                                 23


While the unique access of the pseudo-internal intruder is not equivalent to that of either

a traditional internal or external intruder, it is definitely closer to being internal. Hence,

the name pseudo-internal and not pseudo-external. Due to the pseudo-internal intruder‟s

lack of user privileges and dissimilarities with other traditional external intruders, it is a

distinct access oriented category and not a sub-group of one of the two existing

categories.

        Our real motivation for carefully defining this new category is because it can be

the basis for better understanding of, defense against, and detection of the pseudo-internal

intruder. The following section will describe the unique tools and techniques and the

behaviors of the pseudo-internal intruder. Example scenarios of theoretical pseudo-

internal intruders will help to illustrate the dangers to a distributed system represented by

such intruders. Later sections will describe ways of detecting and defending against the

pseudo-internal intruder.




The Pseudo-Internal Intruder
                                                                                            24



Chapter 2: Capabilities of the Pseudo-Internal Intruder

2.1     Tools and Techniques Used by the Pseudo-Internal Intruder

        The unique aspect of the pseudo-internal intruder category is access to the internal

network from inside the network perimeter. It has been pointed out that accessing the

network of a distributed system from inside the network perimeter allows pseudo-internal

intruders to avoid the auditing and security measures of network perimeter defenses. But

what does this mean with respect to a distributed system‟s security? What can a pseudo-

internal intruder do that makes him or her such a unique threat? It is helpful to first

review the tools and techniques that pseudo-internal intruders can utilize prior to

explaining the threat and behavior of such intruders. Familiarity with these tools will

lead to a better understanding of such threats since many of the unique abilities of

pseudo-internal intruders derive from the ability to use such tools in ways that no other

kind of intruder can. There are four kinds of tools and techniques that pseudo-internal

intruders can use: network assessment tools, packet sniffers, exploits (that do not require

user accounts), and denial of service attacks.

        1. Network assessment tools gather information about the network configuration

and report on potential vulnerabilities of a distributed system. In passive mode, these

tools gather network configuration information by examining the packets passing the

assessment tool‟s location on the network. Each packet has a header that contains certain

information about the packet depending on the protocol stack in use in a distributed

system. For example, the header for an IPv4 packet (figure 2-1) contains the source and

destination of the packet, the relative age of the packet, and the type of service the packet

desires from the network. IPv4 packets may also contain the security level of the packet,

The Pseudo-Internal Intruder
                                                                                          25


the path that the source wanted the packet to follow, the path that the packet actually

followed, and a timestamp from each router the packet traversed.




                               Figure 2-1: Ipv4 Packet Header [Tan96]

Network assessment tools correlate the information gathered from observing packet

headers and can build a picture of a distributed system‟s network configuration. This

picture can include not only the routes between nodes in the network configuration, but

details like which nodes send and receive the most traffic, and what services the traffic is

being directed to (FTP, HTTP, Telnet, etc.).

        In active mode, network assessment tools not only examine passing packets, but

send out queries over the network. These queries attempt to identify the presence and

type of any device on the network. Most network assessment tools contain databases of

vulnerabilities per operating system and network service. Once the tool finds evidence

that indicates some device it is scanning may have one of the vulnerabilities in its

database, the tool reports this fact to the pseudo-internal intruder. Some tools also

explain how the vulnerability could be exploited. For example, the network assessment

tool may send a request to use the FTP service on a targeted machine. The version



The Pseudo-Internal Intruder
                                                                                             26


number of the FTP service available on the targeted device is then checked against the

tool‟s internal list of FTP versions that contain known vulnerabilities. Perhaps the

targeted device is running one of the FTP versions that are susceptible to an attack where

anonymous users can crash the service and retrieve the shadow password file from the

core dump created by the crash. The shadow password file could then be cracked to

recover user account names and associated passwords on the target machine. In addition

to any information gained from packet headers, all of the FTP vulnerability information

would be reported to the pseudo-internal intruder using the network assessment tool.

        2. Packet sniffers record each packet that passes by the sniffer‟s location on the

network. In contrast to network assessment tools that scan packet headers, packet

sniffers are used to read and record the contents of the packet. Dumb packet sniffers

simply collect the packets and store them in memory for a human to later examine the

raw data. There are, however, intelligent packet sniffers that are programmed to look for

particular pieces of information such as network account names and passwords. Often

these intelligent sniffers simply discard packets that do not appear to contain the

particular information for which the sniffer is searching. For this reason, intelligent

packet sniffers can run longer before human intervention is required because they store

information more selectively, recording less than the total amount of information passing

the sniffer. Dumb packet sniffers must be periodically checked or swapped out or else

the memory will become full and new packets will either be discarded or written over

already stored packets. The frequency with which the dumb sniffer must be checked

depends on the memory available to the sniffer and the volume of network traffic on the

target system.



The Pseudo-Internal Intruder
                                                                                            27


        Packet sniffers can either be programs run on a normal computer attached to the

network (software sniffers) or autonomous devices built only to analyze network traffic

(hardware sniffers). Hardware sniffers are much more expensive, but have the advantage

of being completely passive. Because it is custom designed, the hardware sniffer can

analyze passing traffic without producing any output at all. This lack of output is unlike

a computer running a software sniffer because the computer will often have to register

itself with the network or have its own unique network identifier even to receive packets

(having an IP address is an example of this in a IP based network). A highly skilled

pseudo-internal intruder can create a software sniffer that is totally passive (like a

hardware sniffer), but this requires a customizable operating system, like Linux, and a

high degree of knowledge about operating systems as well as pseudo-internal intrusion

techniques.

        3. An exploit consists of the steps required to take advantage of a given

vulnerability in a network device (router, hub, etc.) or a machine. An intruder must

perform certain actions to successfully attack a target machine or device. These actions

are usually sequential and can be thought of as a series of steps. By executing the correct

steps in the correct order, a vulnerability can be exploited. The Ping of Death attack is

one example of an exploit. It was found that sending an abnormal sized (very large) ping

packet to machines running the operating system Windows95 would crash the machine.

The following steps are required to execute the Ping of Death exploit:

            Intruder discovers the IP address of the machine to be attacked.

            Intruder sends an oversized ping packet to the target IP address.

            Targeted machine crashes upon receipt of the oversized ping packet.



The Pseudo-Internal Intruder
                                                                                             28


While a rather simple exploit, the Ping of Death is very effective against machines that

have not been updated with the Microsoft security patch that eliminates the Ping of Death

problem.

        4. Denial of service attacks are those that degrade the functionality of one or more

machines by preventing the machines from communicating over the internal network.

These are not direct attacks against target machines, but indirect attacks against the

machines‟ ability to communicate. For example, the Ping of Death is not a denial of

service attack since it directly targets a vulnerability in a machine‟s operating system.

Denial of service attacks are popular because they require less skill than exploiting

vulnerabilities and are extremely difficult to defend against. The attacker does not have

to determine the vulnerabilities of a target machine‟s software and what steps are require

to exploit those vulnerabilities. From a functional viewpoint, denying the target machine

the ability to provide service to other machines is the equivalent of taking the machine

down by gaining control of it. Recall that any distributed system has a functionality

policy that dictates the purpose of the system. If a denial of service attack prevents the

distributed system from fulfilling its purpose, then the pseudo-internal intruder has

succeeded.

        There are two types of denial of service attacks: network saturation, and traffic

misdirection. Network saturation is the process of flooding the network with useless

traffic so that legitimate requests for service can not reach the target machine. This is the

easiest type of denial of service attack, as it only requires access to the network

configuration, of which the target machine is a node. While there are different methods




The Pseudo-Internal Intruder
                                                                                           29


of network saturation, the most common is to direct a machine on the same internal

network as the target machine to continuously output packets.

        Traffic misdirection is the interception or diverting of network traffic intended for

the target machine. One example of traffic misdirection is IP spoofing. IP spoofing is a

process by which an intruder convinces other computers on the network that his or her

machine is in fact the target machine. In this way no request for service is ever received

by the target machine. IP spoofing does, however, require more technical expertise than

network saturation.

        Certain exploits and denial of service attacks have been automated in hacker

programs. Hacker programs are computer programs that attack target machines by

attempting preprogrammed exploits or denial of service attacks. The advantage of such a

program to a pseudo-internal intruder is that very little knowledge of the exploit steps or

vulnerabilities is required of the user. The user simply directs the program to attack

certain machines and it takes action accordingly. The disadvantage is that hacker

programs are usually only preprogrammed with one or two exploits or denial of service

attacks. Hacker programs will not be effective if the targeted machine does not have any

of the exact vulnerabilities for which the hacker program has exploits or denial of service

attacks. An example of a hacker program is WinNuke for Windows. WinNuke attempts

the Ping of Death exploit against any number of machines as directed by the user. All the

user has to do is install the program and direct it to attack a machine. No knowledge of

the Ping of Death packet size or what commands are used to send a Ping of Death packet

is required.




The Pseudo-Internal Intruder
                                                                                           30


        It is also important to note why pseudo-internal intruders can use these four tools

and techniques more effectively than external intruders can. In each case, security

provided by the network perimeter defenses prevents external intruders from effectively

using these tools and techniques. Network assessment tools and packet sniffers are not

effective from outside the network perimeter of a target system because the bulk of

packets transmitted over a network are not intended for destinations outside of the

network perimeter and are not transmitted outside the network perimeter. Network

perimeter defenses, like firewalls, only permit packets intended for destinations in the

outside world to cross the network perimeter. With only the traffic intended for the

outside world to sample from, network assessment tools and packet sniffers would only

be marginally useful. Network perimeter defenses are also often configured to reject the

queries of active network assessment tools. This prevents active network assessment

tools from gathering any information about the internal network. These same network

perimeter defenses would prohibit denial of service attacks or exploits against any device

inside the network perimeter. Any time a firewall detects a critical volume of traffic

targeted for the internal network, it simply refuses to pass on that traffic. Such an attack

would prevent other machines in the outside world form communicating with the

distributed system, but machines inside the network perimeter would not be prevented

from communicating with the target machine or any other machine inside the network

perimeter.

        While there are other tools and techniques used by intruders, these four categories

are the only ones that apply to pseudo-internal intruders [Bou98]. A pseudo-internal

intruder has two choices upon gaining access to a distributed system: listen to the system



The Pseudo-Internal Intruder
                                                                                            31


(read) or try to effect some change upon the system (write). If the pseudo-internal

intruder chooses to listen to the system then he or she can either read the headers of

packets (assessment tools) or the body of packets (sniffers). If the pseudo-internal

intruder decides to attack the system then he or she can either attack the machines on the

network (exploits) or the network itself (denial of service attacks). New pseudo-internal

intruder tools and techniques will surely be developed in the future, but they will fall into

one of the above four categories characterized by reading or writing.



2.2     Dangers of the Pseudo-Internal Intruder

        Pseudo-internal intruders have two main courses of action: proactive and passive.

Proactive actions create normal or excessive network traffic. The nature of these actions

is to actively seek out information or effect some change on the network. Passive actions

are those that contribute little or no network traffic to a distributed system‟s internal

network. By nature these actions attempt to contribute no traffic at all, but in some cases

passive actions add small amounts of network protocol oriented traffic to the distributed

system. For example, some protocols may require a machine to register its presence in

order to communicate on the network. When the Dynamic Host Configuration Protocol

(DHCP) is in use on a network, each computer must request an IP address from the

DHCP server. The DHCP server grants a „lease‟ to the requesting computer for a specific

IP address. This exchange creates a small amount of network protocol oriented traffic.

While it is possible for a highly skilled pseudo-internal intruder to avoid such protocol

traffic, many potential intruders with pseudo-internal access will not be able to avoid




The Pseudo-Internal Intruder
                                                                                             32


these small amounts of protocol traffic. Such traffic is, however, so minimal that it

should not be considered proactive.

        A passive pseudo-internal intruder is limited to harvesting information passing

through that segment of the network configuration on which the intruder is located. In

order to gather this information, passive pseudo-internal intruders can only utilize tools

that generate little or no network traffic such as packet sniffers and passive network

assessment tools. Such information may be the actual data traveling over the network or

it may contain clues about the details of the network configuration itself. Although there

are not many different passive actions, the act of harvesting information can compromise

the security of a distributed system. The data itself may be private or the information

gained about the network configuration can lead to the discovery of vulnerabilities in the

system. Passive actions are not available to the traditional external intruder since network

perimeter defenses would prevent the escape of any information not intended for

recipients outside the network perimeter. While it is possible for an internal intruder to

utilize user account privileges to harvest information it is not really a passive action since

the utilization of a user account creates normal network traffic. There is a greater chance

that an internal intruder, rather than a passive pseudo-internal intruder, would be detected

harvesting information because many intrusion detection systems that monitor user

activity would detect the effects of a user running network assessment tools.

        The following example scenario of an intrusion will illustrate the danger

represented by a pseudo-internal intruder using only passive actions. The main character

in this example is an industrial espionage agent paid to covertly steal proprietary business

information from a competitor. The agent believes that such information can be found in



The Pseudo-Internal Intruder
                                                                                             33


the competitor‟s distributed system. For information to be of value to the agent‟s

employer, the competitor can not know that such proprietary information has been stolen.

Otherwise the competitor may pursue legal action or purposely invalidate the stolen

information. The phrase target system will be used as a reference to any distributed

system that is the attack target of any particular intruder being discussed.

        The agent therefore decides to forgo the risk of testing the network perimeter

defenses of the target system and attempts to gain direct access to the network

configuration. The agent is able to get a job as a custodian for a janitorial service that

cleans the office building that houses the target system. While the agent‟s new employee

status does not grant access to restricted areas like server rooms, it does provide access to

several closets that contain hubs and wiring for the target system‟s network. These

„wiring closets‟ provide the agent with direct access to the physical configuration, and

therefore the network configuration, of the target system without having to cross the

network perimeter and contend with any network perimeter defenses.

        Because the agent‟s goal is to gather proprietary information without being

detected, he or she connects a hardware packet sniffer to the hub in one of the wiring

closets. Depending on the style of the packet sniffer, it can be connected to an open port

on the hub or coupled around a cable leading to the hub. The agent is able to cleverly

hide the sniffer and leaves it there for several days. During this time the hardware sniffer

records any packet that is transmitted on the segment which that particular hub is

connected to. Since the hardware sniffer has a finite amount of memory in which to store

the packets, the agent periodically replaces the hardware sniffer with another. The agent

can then take each hardware sniffer to another location to examine the captured packets at



The Pseudo-Internal Intruder
                                                                                              34


will. While the agent could leave a hardware sniffer in place indefinitely (simply

switching them every few days), the choice is made to remove all hardware sniffers after

a particularly critical high level communication is intercepted. The termination of the

agent‟s operation further decreases the chance that the owners of the target system will

ever realize that proprietary information has been compromised. Soon after the removal

of the hardware sniffer, the agent quits the janitorial service citing unhappiness with the

job.

        The above industrial agent is an example of an outsider passive pseudo-internal

intruder. This agent has accomplished the mission of compromising the target system

while avoiding any perimeter defense (unlike an external intruder) and not using any user

permissions at all (unlike an internal intruder). The entire attack consisted of passive

actions that would likely go unnoticed by system administrators. Expensive hardware

sniffers, like the one used by the espionage agent, can easily be designed to create no

additional network traffic, while recording all passing network traffic. Recall that most

software sniffers running on computers (cheaper than custom built hardware sniffers)

create a small amount of network traffic that could be detected by system administrators.

        Other pseudo-internal intruders are willing to accept the risk of proactive actions.

This allows the proactive pseudo-internal intruder a wider range of options including

denial of service attacks, exploiting the vulnerabilities of machines on the network, use of

hacker programs, and proactive network assessments. The character in the next scenario

is a disgruntled data entry specialist, an unhappy employee working for the owners of the

target system. This employee is angry about a lack of compensation. The situation has

led the employee to attempt to disrupt the target system in contrast to the previously



The Pseudo-Internal Intruder
                                                                                          35


mentioned example of an attempt to gather confidential information from a target system.

The disgruntled employee will serve as an example of a proactive pseudo-internal

intruder.

        The employee has decided to attack the computer responsible for payroll on the

day that payroll checks are to be created. Although this employee does not have physical

access to any areas like server rooms or wiring closets, he or she still has access to

several network jacks where computers in the office are connected to the network. That

office connection provides the employee with direct access to the internal network of the

target system while circumventing any network perimeter defenses. Each office not only

contains personal desktop computers for most employees, but several computers that are

shared among all employees in each office. The shared machines require no user account

since they are intended for word processing and Internet research, but not for users to log

in to the network. In order to access shared network printers and the Internet, the shared

machines are connected to the network and running the correct protocol stack for the

network. Therefore, the machines can communicate on the network regardless of

whether a user is logged in or not. In case any of his or her actions are detected, the

employee decides to use one of the shared machines in the office. Since many different

employees have access to the shared machine, it would be difficult for system

administrators to connect any suspicious traffic coming from the shared machine to any

single employee.

        The disgruntled employee begins the intrusion by running a network assessment

tool on the shared machine, in order to gather information about the target system‟s

network configuration. The anonymity provided by using a shared machine encourages



The Pseudo-Internal Intruder
                                                                                            36


the employee to direct the network assessment tool to conduct a proactive assessment.

Preliminary information from the network assessment provides the IP address and name

of the payroll server by intercepting traffic from the server. Such information allows the

employee to direct the assessment tool to proactively gather information on that single

machine. Focusing on a single machine decreases the amount of network traffic and

hence, the likelihood that network assessment traffic will be detected by system

administrators. The result from the network assessment tool is a detailed picture of the

payroll server, including what services (FTP, Telnet, etc.) and versions of software and

services the machine is running, and to what network nodes the machine communicates

with and how often. Furthermore, assume that the assessment tool intercepted several

user accounts and passwords transmitted over the network when users remotely logged

into the payroll machine. One of those captured accounts was that of a user with

administrative rights on the payroll machine. Such a user is a type of a local system

administrator for that single machine.

        It is clear that, so far, the disgruntled employee can not be considered an external

or internal intruder. The employee has not used any user privileges thus far, nor did the

employee have to contend with any perimeter defenses. At this point it is possible that

the employee will become an internal intruder by masquerading as the payroll server

administrator mentioned above. The employee will likely be able to use the permissions

of that account to delete everything on the payroll server. Such a move would likely

destroy the data required to create payroll checks for that week. If the system

administrator account had not been captured, the employee could continue to be a

proactive pseudo-internal intruder and attempt to gain control of the machine by



The Pseudo-Internal Intruder
                                                                                              37


exploiting some of the vulnerabilities that the assessment tool found. Yet another

possibility would be to launch denial of service attacks against the machine to prevent it

from communicating with other machines in the manner necessary to gather payroll data.

        The disgruntled employee scenario involves a single intruder having access to a

distributed system that places the intruder in more than one access oriented intruder

category. In this example, a pseudo-internal intruder harvested system administrator

account information that would have allowed the intruder to log in as the system

administrator. The disgruntled employee would still have the access of a pseudo-internal

intruder, even after logging in as a system administrator and gaining access reserved to

internal intruders. It is possible for a given intruder to start with or obtain more than one

type of access to a target system, thus placing the intruder in more than one access

oriented intruder category. Any intruder with more than one type of access (external,

internal, pseudo-internal) to a distributed system is a multi-category intruder.

        The multi-category intruder is not a new concept brought about by the

introduction of a third category to the traditional internal and external pair of intruder

categories. For example, if an Internet hacker (external intruder) discovered a user

account name and its password, then the hacker could log in to the target system as that

user. Once logged in, the external Internet hacker would be taking advantage of user

privileges, thus granting the hacker the access of an internal intruder. This use of user

privileges would not eliminate the fact that the Internet hacker was still also outside the

network perimeter of the system with the access of an external intruder. Since this

example does not involve a pseudo-internal intruder, it appears that multi-category

intruders exist whether one chooses to distinguish intruders by two or three categories.



The Pseudo-Internal Intruder
                                                                                            38


        This issue of multi-category intruders does, however, not affect the definition,

detection, or defense against pseudo-internal intruders. Any intrusion against a target

system can be connected to a primary form of access, which is the access actually used to

complete the intrusion. Several of our examples illustrate such primary forms of access.

Although the disgruntled employee captured the system administrator password using

pseudo-internal access to the target system, if the employee attacked the payroll machine

using the privileges of the administrator account then the employee is acting as an

internal intruder. The attack on the payroll machine would be defined as an internal

intrusion, and defending against the attack would require protection mechanisms

designed to counter internal intruders. Likewise, assume for a moment that the

disgruntled employee did not use the administrator account, and instead launched a denial

of service attack against the payroll machine. That denial of service attack could not be

defined as an internal intrusion since no user account was used. The attack would be a

proactive pseudo-internal intrusion and would require defenses designed to thwart

pseudo-internal intruders. The next section will describe the detection and defenses

against such pseudo-internal intruders.




The Pseudo-Internal Intruder
                                                                                          39



Chapter 3: Security Recommendations

3.1     Defending Systems Against the Pseudo-Internal Intruder

        One of our purposes in defining the category of pseudo-internal intruders is to

provide a carefully defined framework in which to discuss defending systems against a

pseudo-internal intruder. Most of the data gathered on network intrusion incidents

indicates that internal intruders are responsible for the majority of network security

incidents [Pow99]. In a recent survey of financial institutions the most expensive

incident reported was the result of an internal intruder. One bank spent over 2 million

dollars tracking down what they assumed to be an „Internet hacker‟ that had stolen

intellectual property only to find out it was a disgruntled employee [Mei99]. In actuality,

many times that internal intruders are referred to, the statement applies to pseudo-internal

intruders as well. For example, a recent network security incident at a Chinese bank was

widely reported as an „internal‟ or „insider‟ job, when the intruders actually used pseudo-

internal tools and techniques [Reu98a, Reu98b]. The defense of systems against pseudo-

internal (and internal) intruders is clearly of growing importance. As network perimeter

defenses get stronger, and they will, more intruders will be forced to attempt to

circumvent the network perimeter defenses and utilize pseudo-internal tools and

techniques.

        It is also important to explicitly examine defenses against pseudo-internal

intruders since such defenses are so different from the average defenses used to combat

internal or external intruders. Common intrusion detection systems designed to defend

against internal intruders examine usage patterns of user accounts. These packages seek

to discover unauthorized activity by existing user accounts since internal intruders

The Pseudo-Internal Intruder
                                                                                              40


utilizing user accounts to attack a target system. Clearly, such packages designed to

defend against internal intruders will have no effect against intruders that do not utilize

user accounts (pseudo-internal intruders). Likewise, common external intruder intrusion

detection systems do not affect the pseudo-internal intruder since the focus is on

preventing the external intruder from penetrating the network perimeter. Since the

pseudo-internal intruder is already inside the network perimeter, such network perimeter

defenses do not detect or defend against pseudo-internal intruders.

        There are three steps to consider when attempting to protect a system against

potential intruders: denying an intruder access to the distributed system, mitigating the

consequences if an intruder does gain access to the distributed system, and detecting,

monitoring, and recording any intrusions. Recall that, by definition, a pseudo-internal

intruder has to have access to the digital pathways of communication that are part of the

network configuration. Because the pseudo-internal intruder is our primary concern, this

section will first address the issue of denying intruders access to the network

configuration of a distributed system. Denial of access to the network configuration

would entirely eliminate the possibility of pseudo-internal intruders from the system. We

know, however, that experts caution against assuming that any defensive actions will

totally preclude intruders from gaining access to a system. Therefore, we will secondly

address the issue of minimizing the effect of pseudo-internal intruders who do gain

access to the network configuration. Lastly, the issue of detecting, monitoring, and

recording pseudo-internal intrusions will be addressed. The combination of these three

steps provides an effective overall security strategy to defeat the pseudo-internal intruder.




The Pseudo-Internal Intruder
                                                                                          41


        Prevention of access to the network configuration has two aspects: perimeter

defenses and physical configuration control. The objective of perimeter defenses is to

stop as many intruders as possible at the perimeter in order to deny them access to any

part of the distributed system. We will only be concerned with physical perimeter

defenses since pseudo-internal intruders entirely circumvent network perimeter defenses.

While network perimeter defenses play a vital role in distributed system security, they do

not protect against threats already inside the network perimeter and have no bearing on a

discussion about pseudo-internal intruders. Since there is a distinct possibility that

perimeter defenses will fail in stopping all intruders, it is necessary to protect each

component of the network configuration from unauthorized access. Physical

configuration control is any process by which the owners of a distributed system ensure

that no unauthorized hardware can be introduced to the physical configuration and that

authorized hardware is not used for unauthorized actions. In effect, physical

configuration control places some type of barrier around each component of the physical

configuration to prevent intruders from accessing such components or adding their own

pieces of hardware to the configuration. Such a barrier to unauthorized use can include

security measures like frequent inspections as well as traditional physical and digital

barriers.

        The second step in the overall system defense against pseudo-internal intruders is

limiting the abilities of pseudo-internal intruders that do gain access to the network

configuration by adequately controlling the network configuration. Network

configuration control is the manner in which the network configuration is managed to

ensure the highest degree of security, while complying with functionality requirements.



The Pseudo-Internal Intruder
                                                                                           42


Remember that the network configuration not only includes all of the hardware of the

physical configuration and the avenues of digital communication, but the protocols used

for communication, and the way that communication is segmented. The network

configuration not only dictates the path communication follows, but how nodes in the

distributed system are allowed to communicate. By correctly managing such protocols,

network attributes, and segmentation, system administrators can make it more difficult

for pseudo-internal intruders to utilize and gather information from the network

configuration. The ways in which network configuration control can be practiced will be

further explained in the next section.

        There is always the possibility that all attempts to deny pseudo-internal intruders

access to the network configuration will fail. Successful pseudo-internal intrusions

should be identified and located as soon as possible. The process of network

configuration monitoring, the last piece of overall system security, continuously observes

all aspects of the network configuration searching for evidence of intruders. Successful

monitoring of the network configuration will alert system administrators to take

immediate action to prevent further damage to the distributed system.

        The following sections will further explain each of the three steps of defending a

distributed system against a pseudo-internal intruder. Additionally, examples of each

method of defense will be offered to illustrate ways in which the method can be

implemented.




The Pseudo-Internal Intruder
                                                                                          43


3.2     Defending the Distributed System: Preventing Intruder Access

        Since chain link fences and armed guards do not contain any programs or data

communication ports, physical perimeter defenses are theoretically one of the easiest and

straightforward forms of computer security. In practice, physical perimeter defenses are,

however, one of the hardest forms of security to implement effectively. Typically, the

more restrictive physical perimeter defenses are, the less efficient any workforce

hampered by such physical perimeter security policies becomes. For example, only

allowing system administrators access to areas with machines (the most secure physical

perimeter defense) would not allow other employees to utilize the system (totally

ineffective workforce). Few physical configurations of large, practical distributed

systems reside within a physical perimeter that does not also contain the offices of many

employees and users of the system. The other practical drawback to physical perimeter

defense is that many of the possible pseudo-internal intruders have legitimate reasons to

cross the physical perimeter. Both example scenarios involved such insider pseudo-

internal intruders. When the industrial espionage agent took a job as a legitimate

custodian, he or she was entitled to access within the physical perimeter of the target

system. While the agent‟s duplicity may have eventually been discovered, the gambit of

being hired as a custodian provided sufficient time to compromise the target system.

Likewise, the disgruntled employee certainly was entitled to access within the physical

perimeter of the target system. It would be unrealistic to expect a physical perimeter

defense to not only prevent access by unauthorized persons, but also to also prevent

access by authorized persons planning on committing unauthorized actions, while still

allowing harmless authorized persons access.



The Pseudo-Internal Intruder
                                                                                          44


        Physical configuration control is the second aspect of preventing pseudo-internal

intruders from gaining access to any part of a distributed system‟s network configuration.

Recall that any practical physical perimeter defense will still allow legitimate employees,

and those successfully masquerading as legitimate employees, access to the facilities

housing the target system. To prevent intruders who are able to cross the perimeter from

accessing the network configuration, physical configuration control measures protect

each component of the physical configuration to further decrease the chance of

unauthorized access. With respect to physical configuration control, components of the

physical configuration can generally be broken down into three groups: avenues of

communication (network cabling), communication facilitators (network devices), and end

points (workstations and servers). Each of these types of components has a unique

manner in which it can be individually protected. Running network cabling through

some type of conduit is one way to protect it. Lead conduit is normally used because lead

is an excellent inhibitor of signals. Lead conduit makes it more difficult for pseudo-

internal intruders to use devices to monitor the traffic on encased network cabling.

Additionally, conduit that had been breached would be more easily observable to those

inspecting the physical configuration for signs of tampering or unauthorized devices. For

fiber optic network cables there are more advanced solutions like motion detectors and

devices that monitor any disturbances of the fiber optic cable [Gri95].

        Network devices can be protected by locking the device in metal casing if located

in a relatively insecure area like a wiring closet. Like encasing network cable in lead

conduit, securing the network device would make it more difficult for pseudo-internal




The Pseudo-Internal Intruder
                                                                                            45


intruders to monitor signals going in or out of the network devices, or to connect

unauthorized devices to the network configuration.

        Lastly, the workstations and servers must also be encased against monitoring and

unauthorized use. Since it is unrealistic to have all machines encased in metal, it is

possible to require that all desktop computers have power-on passwords and screen saver

passwords to prevent anyone but the designated user of that machine from using it to gain

access to the network configuration. Power-on passwords require the user of a machine

to enter a password before the machine will perform any function, including booting the

operating system or accessing the floppy disk drive. Computers can be configured so that

a screen saver activates any time that the computer is not in use for a certain period of

time (usually 5-15 minutes). A screen saver password requires the user to enter a

password before the screen saver will deactivate and allow the machine to be used again.

        Measures can also be taken to ensure that all hardware complies with the

Transient Electromagnetic Pulse Emanation Standard (TEMPEST). Without taking

special precautions, intruders can gather information by monitoring the electromagnetic

emanations coming from hardware. TEMPEST technology can be used to prevent

intruders from being able to remotely gather information from network hardware. There

may, however, be legal implications depending on the country in which the network is

setup. A good explanation of TEMPEST, including both offensive and defensive aspects

and legal issues, can be found in [Eck85] and [Sel90].

        Physical configuration control not only utilizes barriers to protect each component

of the physical configuration, but also is the process by which that protection is inspected

and monitored for violations. In this way, physical configuration control ensures that no



The Pseudo-Internal Intruder
                                                                                          46


barrier to unauthorized access has been violated and no unauthorized devices added to the

physical configuration. Verification of physical configuration integrity is usually

achieved by educating the users of the system not to introduce unauthorized hardware

and continuously inspecting the physical configuration for unauthorized hardware. If any

unauthorized device is found it is either removed or receives the appropriate security

measures. This kind of inspection of the physical configuration aids in the discovery and

removal of unauthorized devices like packet sniffers that may have been placed in the

physical configuration by pseudo-internal intruders.

        Such inspections also address the problem of rogue outside connects. Recall that

rogue outside connects are created when unauthorized hardware is added to the physical

configuration. Such unauthorized hardware can create an outside connect unbeknownst

to the system administrators. These unauthorized outside connects do not have network

perimeter defenses and are rogue outside connects. Physical configuration control

inspections identify unauthorized hardware. In this way, any rogue outside connect

discovered is either removed or becomes a normal outside connect protected by network

perimeter defenses.



3.3     Defending the Distributed System: Mitigating Intruder Access

        Network configuration control measures are designed to make it more difficult for

a pseudo-internal intruder with access to the system to execute a successful attack. If

network configuration control measures prevent a pseudo-internal intruder from listening

to information (reading) from the target system or affecting change (writing) on the target

system, then there is little the pseudo-internal intruder can do.



The Pseudo-Internal Intruder
                                                                                           47


        Therefore, the first aspect of network configuration control is designing the

configuration so that information is available to as few as possible unintended recipients

(prevent unauthorized listening). This can be done either by encapsulating information

so that unintended recipients cannot read it, or by preventing the information from

reaching unintended recipients. One way of encapsulating information, is to design an

encryption scheme for all information traveling over the network of the distributed

system. One possibility is to have hardware link encryptors that automatically encrypt

and decrypt packets as they travel through a certain length of network cabling. This

might be useful for areas where there was a higher possibility of intruders gaining access

to network cabling. Another option would be to have all information encrypted between

end-points (workstations or servers). This method of encryption would allow messages

to be sent that only the intended recipients can decrypt. Of course, this introduces the

question of key management which is outside the scope of this paper. The main

disadvantages to encryption are the cost, network latency, and implementation

difficulties. A good treatment of the problems, costs, and intricacies of encryption and

public key management can be found in [Den99] and [Sch96]. [And93] and [AN96]

specifically address common reasons why the implementation of cryptosystems fail.

        A less expensive method of eliminating the availability of information to

unintended recipients of any given packet, is to configure the network into smaller

network segments. Recall that using routers, a system administrator can have packets

passed on to only a small group of nodes that contains the machines of the actual

recipients. In many network protocols, each packet has a header with information about

that packet‟s destination. Unlike hubs that simply pass on packets to everything



The Pseudo-Internal Intruder
                                                                                          48


connected to the hub, routers can examine the destination information of a packet and

only pass that packet on in the direction(s) for which it is intended. While this does mean

that every node on the same segment as the intended destination will receive a copy of

the packet, this is more desirable than every node in the entire network configuration

receiving a copy of the packet. This means that pseudo-internal intruders that are sniffing

the network for packets will only receive packets intended for a node on the segment to

which the intruder is connected.

        The other aspect of network configuration control is preventing unauthorized

communication over the network. Most network protocols have some method of

uniquely identifying potential recipients of network traffic. Any device that

communicates with other network devices must have one of these unique identifiers.

Therefore, the identifiers themselves can be managed in order to control which devices

can communicate on the network. For example, in an IP based network, all machines

must have an IP address in order to receive network traffic. There are methods of

managing these IP addresses from a central location in a manner that system

administrators control whether a machine gets an IP address at all, and if so, what IP

address. This makes it more difficult for pseudo-internal intruders to connect

unauthorized devices to the network configuration and then run proactive scanning

utilities. Without a valid IP address, the unauthorized device would not be able to receive

the responses required for a proactive scan. In fact, even running a passive scan without

a valid IP address requires either a much more expensive and rare hardware packet sniffer

or a specially designed and configured operating system running a software sniffer, as

opposed to the common software packet sniffer running on a personal computer.



The Pseudo-Internal Intruder
                                                                                             49


        While a pseudo-internal intruder might correctly guess a usable IP address,

system administrators have a list of all authorized IP address if an IP address

management scheme is in use on that distributed system. The next section will explain

how system administrators can use such a list to monitoring the network for potential

pseudo-internal intruders.



3.4     Defending the Distributed System: Detecting Intruder Access

        We know that none of these security measures will entirely eliminate the

possibility of a pseudo-internal intruder gaining access to a target system. It is therefore

critical that the system administrator have timely knowledge of any pseudo-internal

intrusions. Knowledge of the existence of an intruder would allow system administrators

to perhaps apprehend the intruder, feed the intruder misinformation, or in the very least,

eliminate the intruder‟s access to the target system. Network configuration monitoring

can provide system administrators with the needed warnings of pseudo-internal intruder

activities.

        Network configuration monitoring includes checking for unauthorized or

incorrectly used unique identifiers (required to communicate on the network), querying

the network for unauthorized devices (the digital equivalent to visually inspecting the

physical configuration), and observing the status and presence of network devices that

should be present in the network configuration.

        There are a variety of technical ways to actually monitor the network

configuration depending on its architecture. In a TCP/IP based network the unique

identifiers are the IP addresses. The sender and recipient IP addresses contained in each



The Pseudo-Internal Intruder
                                                                                            50


packet‟s header can be compared against a list of approved IP addresses to ensure that

only authorized devices are communicating over the network. The network can also be

scanned for unauthorized MAC addresses. A MAC address is a unique number assigned

to each piece of network hardware by the manufacturer. The vast majority of network

devices can be queried to report that device‟s MAC address. System administrators can

keep a list of the MAC address of all authorized devices and then compare the results of

system wide queries to that list. Lastly, there are multiple ways to query a network

device to see if it is „alive‟ or still operating and connected to the network. There are

several possible situations when a pseudo-internal intruder may need to disconnect a

network device to either gain access to the network configuration, or perhaps borrow that

device‟s IP address (since no two devices can have the same IP address). So, if a

network device disappears from the network, even for a short period of time, system

administrators may want to physically check the status of that device.

        No defensive measure listed here is a singular solution to the problem of the

pseudo-internal intruder. Each measure narrows the possibility of a successful pseudo-

internal intrusion. The measures do, however, represent an effective approach when all

of the measures are implemented for a distributed system. Note that the majority of the

suggestions for defending a distributed system against pseudo-internal intruders are cost-

effective and require little extra hardware and software. These techniques can, however,

be combined with commercial intrusion detection systems for even more security.

        While it seems certain that future pseudo-internal intruders will develop

techniques not considered by us, these techniques will still operate in the domain of a

target system‟s network configuration. Access to the network configuration by



The Pseudo-Internal Intruder
                                                                                       51


unauthorized persons is prevented by physical perimeter defenses, network perimeter

defenses, physical configuration control, and network configuration control. Network

configuration monitoring provides warnings to system administrators of authorized

persons committing unauthorized pseudo-internal intruder activities, and any

unauthorized persons that somehow gained access to the distributed system.




The Pseudo-Internal Intruder
                                                                                            52



Chapter 4: Case Study

4.1     Introduction

        The purpose of the case study was to illustrate the threat that a pseudo-internal

intruder represents to an average distributed system and how to mitigate this threat. The

case study had two phases. In the first phase, a set of pseudo-internal intruder attacks

was executed against a distributed system using common state of practice network

security. The results of the attacks and the ability of the system to detect the attacks were

recorded to illustrate how vulnerable the common network is to a pseudo-internal

intruder. The state of practice in network security is that a distributed system has

adequate to exceptional network perimeter defenses, but very few security measures

devoted to the detection of intruders within the network perimeter. A recent survey of

security practitioners in corporations, government agencies, and educational institutions

showed that out of 501 respondents only 42 utilized any form of internal intrusion

detection; as opposed to the 91 respondents utilizing firewalls [Pow99]. Even those

distributed systems that do have some sort of intra-network perimeter intrusion detection

usually check for authorized users committing unauthorized actions. This commonly

implemented type of internal intrusion detection does little to protect against pseudo-

internal intruders because the detection systems examine the use of user accounts.

        The second phase of the case study executed the same set of pseudo-internal

intruder attacks against the same distributed system. However, in the second phase of the

case study the network security recommendations of this thesis were implemented prior

to executing the attacks. The results of the attacks and the ability of the system to detect

the attacks were recorded in both phases. The benefits of the security recommendations

The Pseudo-Internal Intruder
                                                                                           53


will be apparent by analyzing the differences between the results of the two phases of the

case study.



4.2     The Target System

        The invasive nature of some pseudo-internal intruder attacks required that the

case study be done on a testbed distributed system, as opposed to an active real world

system. For example, it would not be feasible to execute a denial of service attack

against an operational distributed system, since system functionality would be degraded.

Although it was not possible to build a testbed distributed system as large as many real

world systems, an attempt was made to build a testbed distributed system that was

representative of a large real world system.

Node Name            Description               Operating   Segment (when
                                               System      applicable)
OAS                  Operational               Linux 2.2   1 (Operational)
                     Administration Server
OWk2                 Operational            Windows98 1 (Operational)
                     Workstation 2
OWk3                 Operational            Windows98 1 (Operational)
                     Workstation 3
MCDS                 Mission Critical       Linux 2.2      2 (Mission Critical)
                     Database Server
MCDW                 Mission Critical       Windows95 2 (Mission Critical)
                     Database Workstation
                       Table 4-1: Nodes in Testbed Distributed System


        Our testbed network had 5 nodes, 2 hubs, a router, and a firewall. The equipment

was widely varying: nodes running multiple operating systems (Linux, Windows95, and

Windows98) and network devices from different vendors (ODS Networks, and

Cabletron). Additionally, the networking devices used were capable of supporting a

much larger network. The router was a 10 Gigabit per second capable Cabletron 6500


The Pseudo-Internal Intruder
                                                                                            54


SmartSwitch with modules supporting Gigabit Ethernet, ATM, and Fast Ethernet. The

network configuration diagrams (figures 4-1 and 4-2) are drawn to show “the rest of the

network” cloud, which could contain many more nodes.

        The testbed distributed system was divided into two halves: an operational group

connected to hub OP (Operational), and a mission critical group connected to hub MC

(Mission Critical). Node OAS (Operational Administration Server) was running Linux

2.2 and was the machine used by the system administrator of the target system. Node

OWk2 was a Windows98 operational workstation. Node OWk3 was another Windows98

operational workstation with an unauthorized modem attached. That unauthorized

modem was connected to an outside phone line creating a rogue outside connect. Node

MCDS (Mission Critical Database Server) was also running Linux 2.2. Node MCDW

(Mission Critical Database Workstation) was running Windows95. Any communication

to or from a mission critical node was considered to be mission critical communication.

        To simulate the activity of a distributed system, several communication activities

were executed during each of the pseudo-internal intruder attacks. Nodes MCDS and

MCDW communicated with each other. Node OAS communicated with node MCDS.

Lastly, the user of node OWk3 connected to a pop mail server external to the testbed

distributed system to retrieve mail messages. Having a user from one node establish a

connection with another node and send a text file to that node simulated mission critical

communication. Each text file contained “Mission Critical Information” as the first line

and then information stating who the message was from and for whom it was intended.

        For the purposes of the case study, each pseudo-internal intruder attack had the

goal of either intercepting or disrupting mission critical communication. Intercepting



The Pseudo-Internal Intruder
                                                                                           55


user account names and passwords was a secondary goal. Pseudo-internal intruder

attacks came from two different sources: the unauthorized laptop connected to hub OP,

and the rogue outside connect created by the unauthorized modem on node OWk3. Both

of these attack sources are plausible real world possibilities. The previously mentioned

industrial espionage agent posing as a janitor could potentially gain access to a wiring

closet containing a hub. Likewise, an unwitting employee could connect a modem to an

office machine in order to be able to dial up from home and check e-mail without having

to purchase Internet service at home.




               Figure 4-1: Network Configuration of Phase 1 Testbed System



The Pseudo-Internal Intruder
                                                                                              56


          As mentioned, the testbed distributed system in the first phase of the case study

was designed to represent the state of common practice in terms of network security

measures. The firewall was configured to let no outside traffic through that was not

requested by an internal host. This allowed machines on the inside to communicate with

the outside world, but only if the internal machine initiated the communication. In

general, this is restrictive from the viewpoint of functionality (no outside accessible web

pages), but is considered to be very strong network perimeter defense. This type of

firewall configuration was chosen to illustrate that even the strongest network perimeter

defenses have no effect on pseudo-internal intruders. The firewall will not be considered

again since no pseudo-internal intruder attack will utilize the outside connect, and

therefore no attack will be influenced by the presence of a firewall.

                 Both the database and administration servers (nodes MCDS and OAS) had

audit logs enabled. The audit logs recorded an entry each time a request for service or a

query for information was received. Enabled audit logs represent average security

practice as long as an administrator regularly reviews them. All network devices (routers

and hubs) were configured in „out-of-box‟ mode. That is, no changes were made to

factory settings. Likewise, all software, including operating systems, was installed from

the original retail media. That meant that no security patches or upgrades that were not

shipped with the software product were installed. Although such practices are considered

poor network security, one is more likely to encounter such installations rather than

continuously updated software and specially configured network devices. Lastly, no

internal encryption was used and no internal network intrusion detection packages were

in use.



The Pseudo-Internal Intruder
                                                                                              57




4.3      The Pseudo-Internal Intruder Attacks

         In order to adequately demonstrate the capabilities of a pseudo internal intruder,

we defined six different attacks. At least one of each of the four types of pseudo-internal

intruder attack tools and techniques (network assessment tools, packet sniffers, exploits,

and denial of service attacks) was represented in the set of six attacks. Recall also that a

pseudo-internal intruder requires one of two types of access: physical access to a part of

the network configuration, or a rogue outside connect. The following set of attacks

against the target system also included at least one attack from each form of access:

                 1) Packet Sniffer – Software [Laptop]

                 2) Network Assessment Tool – Active [Rogue Outside Connect]

                 3) Exploit – Ping of Death [Laptop]

                 4) Exploit (Hacker Program) – WinNuke (Ping of Death) [Laptop]

                 5) Denial of Service Attack – Ping Flood [Laptop]

                 6) Denial of Service Attack – Smurf Attack [Rogue Outside Connect]

      Attacks 1, 3, 4, and 5 were executed from a Pentium II class laptop running Windows

98. The laptop was connected to the non-mission critical half of the distributed system

via an open port on hub OP (see diagram). As has been discussed, connecting the laptop

to hub OP simulated a pseudo-internal intruder with physical access to at least one piece

of the network configuration. Attacks 2 and 6 were executed from a remote laptop

connected to node OWk3 via a modem. The unauthorized modem represents a rogue

outside connect.




The Pseudo-Internal Intruder
                                                                                            58


    The first attack used a software packet sniffer from Network Associates called Sniffer

Pro LAN. The goal of packet sniffing is to intercept mission critical communication and

user account names and passwords.

    The network assessment tool used for the second attack was NetRecon by Axent

Technologies. NetRecon allows the pseudo-internal intruder to direct it to actively scan a

range of IP addresses or simply attempt to scan everything on the network. NetRecon

provides the user with information about what operating systems nodes are running, what

services are active on the nodes, and how those services are vulnerable to attack.

    The third attack was an exploit called the Ping of Death. It was found that sending an

abnormally large ping packet to a Windows95 machine would cause the machine to

either lock up or crash. When successful, such an attack eliminates the functionality of a

Windows 95 machine until the machine is rebooted. Microsoft released a security patch

for Windows 95 that prevented this problem from occurring, but many machines have

never had the security patch installed. Unless the owner of a machine specifically

downloaded and installed the security patch, then their Windows 95 machine is

susceptible to the Ping of Death attack.

    The fourth attack was the same as the third, except that a hacker program called

WinNuke was utilized by the pseudo-internal intruder. WinNuke is a program that runs

on Windows 95 or 98 machines and executes a Ping of Death attack against any number

of machines as directed by the user.

    The fifth attack was a denial of service attack called a ping flood. A ping flood is an

attack where the pseudo-internal intruder directs the laptop to continuously send ping

packets to a target machine at a high rate of speed. This attack effectively cuts off the



The Pseudo-Internal Intruder
                                                                                              59


target machine from the network. The target machine is receiving so many ping packets

that it cannot respond to any other request for service. Even when the machine is able to

respond to a request for service, it is likely that the pathways of network communication

are clogged with the ping packets thereby making communication with any other

machine difficult.

        The last attack is a different kind of denial of service attack called a Smurf attack.

In a Smurf attack, the pseudo-internal intruder directs a machine to send a ping packet to

multiple machines. The ping packet is constructed to appear as if it came from some

target machine. Therefore, all of the machines that receive the ping packet respond by

sending a packet to the target machine, and not the pseudo-internal intruder‟s machine.

In this way, the target machine is overwhelmed in a manner similar to the above ping

flood. This attack has the advantage of being indirect (the ping flood is not coming from

the pseudo-internal intruder‟s machine). The attack is shorter in duration unless the

attack machine continues to send the bogus ping packets to multiple machines.



4.4     Expected Results

        Two results were recorded for each pseudo-internal intruder attack The first

result was the success of the particular attack. Each attack had a stated goal, and the

success of an attack was determined by comparing the result with the goal. The second

recorded result was the ability of the distributed system to detect the attack, even if the

attack succeeded. The ability of the distributed system to detect an attack was judged by

examining the footprint of the attack and any security measures in place to examine




The Pseudo-Internal Intruder
                                                                                            60


footprints. A footprint is any observable change in the network configuration of a

distributed system.



4.5       Results of Attacks on Target System – Phase 1

          The following section will discuss the results of executing the set of attacks

against the Phase 1 target system.

1) Packet Sniffer – Software [Laptop]

      -   Result: The packet sniffer successfully captured the exchange of the mission

          critical text file and user names and passwords between nodes OAS and MCDS

          and nodes MCDS and MCDW. In any network each packet first goes to the

          gateway machine. The gateway decides whether the packet is for an external

          machine or an internal machine. If the packet is for an internal machine, the

          gateway broadcasts that packet back toward the network. In an unsegmented

          network the packet is broadcast to every machine. Any machine that is not the

          intended recipient of the packet simply ignores it, unless the machine is running a

          packet sniffer which records all packets. The packet sniffer even captures the

          packets between nodes on a different hub since each packet goes out to the

          gateway (which is also the firewall in this case) and then back to all devices (since

          there is no segmenting). The packet sniffer also captured the external POP Mail

          server account name and password of the user of node OWk2.

      -   Footprint: The footprint for this attack is small. The only changes made to the

          network configuration by the packet sniffer were an additional port in use on hub

          OP (laptop plugged in to it) and an additional MAC and IP address in use on the



The Pseudo-Internal Intruder
                                                                                               61


        network. Without special configuration (not in use in this case), the laptop will

        answer any MAC address or IP address scan and would show up on a Network

        Assessment scan. That is, if the laptop receives any request to report its IP or

        MAC address, it will respond with the addresses it is using. But, in the first phase

        of the case study, none of these things are being monitored. Therefore, the

        footprint of this first attack is not observable without further security changes to

        the system.



2) Network Assessment Tool – Active [Rogue Outside Connect]

    -   Result: The active network assessment, via the modem line, succeeded in gaining

        information on all nodes on the network, including what operating system was

        running and what services were active. The scan reported that node MCDW was

        a Windows 95 machine vulnerable to a Ping of Death attack. There were a few

        added obstacles that the pseudo-internal intruder had to surmount to achieve the

        successful scan. The user of node OWk3 that set up the modem has the option of

        requiring a password to remotely connect to node OWk3. The pseudo-internal

        intruder would have to obtain such a password to connect to node OWk3. Just as

        physical security was ignored for the purposes of the case study, this issue was

        also not considered, but it should be noted.

    -   Footprint: The nature of the rogue outside connect required that the assessment

        tool be run in active mode. The Point to Point Protocol connection between the

        remote intruder and node OWk3 did not allow the intruder‟s computer to

        passively “listen” to communication over the network. The intruder‟s computer



The Pseudo-Internal Intruder
                                                                                              62


        must actively request information by sending a packet to a host that requires a

        response. Therefore, the footprint of this attack is larger than that of the packet

        sniffer. While the modem connection does not require an additional IP or MAC

        address to be assigned to the remote laptop, the active actions create traffic

        coming from node OWk3. So any machine with audit logs enabled will record

        that node OWk3 (the machine with the modem) was requesting information about

        what services were running on the server. Any review of the audit logs would

        reveal suspicious activity and likely result in the discovery of the unauthorized

        modem. Therefore, the intruder would have to follow up the active assessment

        with another activity since discovery is highly likely.



3) Exploit – Ping of Death [Laptop]

    -   Result: The pseudo internal intruder was successful in locking up node MCDW

        by sending an abnormal size ping packet (Ping of Death attack) from the laptop

        on hub OP to node MCDW on hub MC. The workstation locked up and had to be

        rebooted. There was no warning as to why workstation locked up. Any unsaved

        work was lost and the functionality of the machine was eliminated until it was

        rebooted.

    -   Footprint: The footprint for this attack is only slightly larger than the footprint

        for attack 1. Other than the existence of laptop issues discussed above, the only

        additional change in the network configuration is the presence of the abnormal

        size packet. Although there are servers with audit logs enabled that do receive the

        abnormal size ping packet (since all machines receive every packet), the servers



The Pseudo-Internal Intruder
                                                                                           63


        do not record the event since the packet is not intended for that machine. There

        are no other security measures in place in phase 1 to detect the Ping of Death

        attack.




4) Exploit (Hacker Program) – WinNuke (Ping of Death) [Laptop]

    -   Result: Attack 4 was as successful as attack 3. In fact, the results were exactly the

        same. The only difference between the two attacks is that a windows program

        was used to launch the attack from the laptop instead of using the ping command.

    -   Footprint: The footprint for this attack was no different than that of attack 3. The

        use of the program WinNuke instead of manually sending the abnormal size ping

        packet makes no difference with respect to the network configuration.



5) Denial of Service Attack – Ping Flood [Laptop]

    -   Result: The pseudo-internal intruder laptop on hub OP sent continuous ping

        packets to node MCDS on hub MC. Nodes OAS and MCDW were observed to

        no longer be able to reliably communicate with node MCDS because node MCDS

        was too busy answering the pings from the laptop (intermittent communication

        was possible). The ability of any nodes to communicate with any other node was

        degraded due to the numerous ping packets saturating the entire network as each

        ping packet is first sent to the gateway and then to every node on the network.

    -   Footprint: The footprint of attack 5 is similar to that of attacks 3 and 4. The

        existence of the laptop on the network creates unauthorized MAC and IP address



The Pseudo-Internal Intruder
                                                                                            64


        usage. Likewise, there are servers (node OAS) with audit logs enabled that see

        the ping packets, but do not record them since the pings are intended for another

        machine. Node MCDS audit logs would also show all of the incoming ping

        packets. The footprint was, however, more noticeable by all users of the network

        because of the “sluggishness” created by the saturation of the network by ping

        packets. There is no security tool in use for phase 1 of the case study that would

        indicate a ping flood attack in progress, but it is likely that system administrators

        would quickly realize there was something wrong with the network and

        investigate further.



6) Denial of Service Attack – Smurf Attack [Rogue Outside Connect]

    -   Result: The results of this attack are similar to those of attack 5. Reliable

        communication between node MCDS and any other node was not possible.

        Communication for any node was degraded due to the saturation of the network

        by ping packets. The difference between attacks 5 and 6 was the way in which

        the attack was launched. Attack 6 was launched from the remote laptop

        connected to node OWk3 via a modem. The pseudo-internal intruder remote

        laptop sent ping packets to several other nodes. The ping packet was constructed

        to appear as if node MCDS had sent it. Therefore, all of the nodes replied to node

        MCDS. This process was repeated to create a continuous flow of ping packets

        directed at node MCDS.

    -   Footprint: Attack 6 has a larger footprint than the other attacks because several

        nodes are receiving ping packets directed at them from node MCDS. Thus,



The Pseudo-Internal Intruder
                                                                                           65


         servers with audit logs would record the numerous requests to respond to node

         MCDS. As in attack 5, all users of the network would notice that the network was

         “sluggish” and unresponsive. It would certainly be noticeable by observing the

         audit logs of node MCDS that would show a large amount of pings.



4.6      Security Changes Made to Testbed System for Phase 2

         In order to demonstrate the effectiveness of the security measures proposed by

this thesis, the following security changes were made to the testbed distributed system

prior to phase 2 of the case study. These changes are those advocated to mitigate the

consequences of a pseudo-internal intruder gaining access to a target system and

detecting, monitoring, and recording any intrusions. Specifically, the following

suggestions are steps to increase network configuration control and network

configuration monitoring. Denying the intruder access to the distributed system (physical

perimeter defense and physical configuration control) were not considered for the case

study.

         To limit the unintended recipients of a given packet, the testbed distributed

system was divided into two segments. The first segment contained those nodes

connected to hub OP. That segment represents the operation segment. The second

segment contained those connected to hub MC. The second segment represents the

mission critical segment. Any packet transmitted from the gateway (the firewall in this

case) was only transmitted to nodes in the segment that contained the recipient of the

packet. Also, in an effort to limit the unintended recipients of any mission critical packet,




The Pseudo-Internal Intruder
                                                                                            66


all mission critical communication was encrypted. Likewise, all nodes were required to

use secure (encrypted) telnet and secure file transfer protocol.

        A network intrusion detection monitoring device was inserted between the router

and hub MC to monitor and protect the mission critical segment. The device was actually

a router that contained a computer running Internet Secure Systems‟ (ISS) RealSecure

monitoring product. The network intrusion detection monitoring device was made by

ODS Networks Inc. [ODS97, ODS98]. Each packet that passes through the network

intrusion monitoring device was examined by the ISS RealSecure software. Each packet

was compared to a list of packets used to execute many known attacks. For example, if a

packet matched an oversized Ping of Death packet, then the packet would be discarded

and not allowed to pass through to the segment protected by the intrusion detection

monitoring device. The software also checks for attack patterns using multiple packets.

For example, the software will allow several consecutive ping packets for a single

machine to pass through, but too many consecutive ping packets would indicate a ping

flood attack and such packets would be blocked from passing the intrusion detection

monitoring device. Any suspicious packet activity found by the software is reported to

the system administrator via e-mail. If the system is unable to send e-mail, it dials the

system administrator‟s digital pager using a modem connected to an outside phone line

(out-of-band).

        In an effort to increase network configuration monitoring, each segment has one

server that continuously scans for unauthorized MAC and IP address activity. A full

network assessment utility is periodically run as well to search for unknown and

unauthorized nodes. Likewise, an RMON (Remote Monitoring) compliant network



The Pseudo-Internal Intruder
                                                                                         67


device monitoring utility is used on each segment. RMON is a protocol that that

communicates remote network management information over the network. The

monitoring device queries the network device for information like which ports are in use,

what MAC addresses are using which port, and how much traffic is going through the

network device. Some RMON compliant software can even analyze this data for trends

or be configured to automatically notify the administrator when certain ports are in use or

when the overall network traffic reaches some level.




               Figure 4-2: Network Configuration of Phase 2 Testbed System




The Pseudo-Internal Intruder
                                                                                                 68




4.7       Results of Attacks on Target System – Phase 2

      The following section will discuss the results of executing the set of attacks against

the phase 2 target system.

1) Packet Sniffer – Software [Laptop]

      -   Result: The packet sniffer was only able to capture the external POP Mail server

          account name and password of the user of node OWk2. Since all communication

          between mission critical nodes was encrypted, the packets containing the mission

          critical text file and user account names and passwords were unreadable. Even if

          communications between nodes MCDS and MCDW were not encrypted, the

          sniffer would not capture them since packets not intended for nodes on segment 1

          are not transmitted to segment 1 (where the laptop is connected).

      -   Footprint: While the footprint is no different than it was in the first phase of the

          case study, there were more security measures in place to detect such footprints.

          The network administration server on the same segment as the laptop reported an

          unidentified MAC address and IP address in use (the laptop). The periodic active

          network assessment from node OAS also detected the laptop and reported on the

          operating system and services it was running. From that information, the system

          administrator on node OAS could conclude that there was an unidentified

          machine in use on the segment. Furthermore, RMON compliant monitoring

          software reported that an additional port on hub OP was in use. In this way the

          system administrator could determine the physical location of the unauthorized

          node visible on the network (by tracing the wiring from the unauthorized port on



The Pseudo-Internal Intruder
                                                                                            69


        hub OP). This was true for all attacks using the laptop, so it will not again be

        mentioned in detail.



2) Network Assessment Tool – Active [Rogue Outside Connect]

    -   Result: In most segmenting schemes, system administrators use different ranges

        of IP addresses for different segments on the network. Without knowing the IP

        address scheme, a machine on one segment cannot send packets to a machine on

        another segment. For this reason, the active network assessment tool was only

        able to gain information about the nodes on the same segment as node OWk3.

        Without knowledge of the IP addresses of nodes MCDS and MCDW (segment 2

        nodes), there was no way to gain information about those nodes. Therefore, the

        pseudo-internal intruder using the rogue outside connect had no way of knowing

        what operating systems were in use by segment 2 (Mission Critical) nodes, and

        what vulnerabilities segment 2 nodes might have. The active assessment still

        gained the same information as in the first phase of the case study about the nodes

        on segment 1 (Operational). Furthermore, the network intrusion detection

        monitoring device can be configured to deny some of the packets that contain

        request for information used by active network assessment tools.

    -   Footprint: As in the first phase of the case study, the audit logs active on node

        OAS recorded the activities of the network assessment tool. As before, further

        investigation as to why node OWk3 was requesting information from other

        machines would lead the system administrator to discover the unauthorized

        modem.



The Pseudo-Internal Intruder
                                                                                           70




3) Exploit – Ping of Death [Laptop]

    -   Result: This attack was totally unsuccessful in phase 2 of the case study. The

        abnormal size ping packet sent from the laptop was stopped by the network

        intrusion detection monitoring device protecting the mission critical segment of

        hub MC. The device immediately reported, via e-mail to the system

        administrator, that a Ping of Death attack had been attempted against node

        MCDW. Node MCDW was never affected.

    -   Footprint: Like the other attacks, the footprint of attack 3 was no different in

        phase 2 of the case study. The difference is that measures had been put in place to

        detect attack footprints. The network intrusion detection monitoring device

        immediately reported the attack to the system administrator and narrowed the

        source of the attack to the operational segment. The system administrator at node

        OAS would then be able to employee the methods discussed in attack 1 to quickly

        locate the unauthorized laptop.



4) Exploit (Hacker Program) – WinNuke (Ping of Death) [Laptop]

    -   Result: The results were the same as those of attack 3.

    -   Footprint: The footprint and the system‟s ability to detect the footprint were the

        same as in attack 3.



5) Denial of Service Attack – Ping Flood [Laptop]




The Pseudo-Internal Intruder
                                                                                           71


    -   Result: Attack 5 was partially successful. When the pseudo-internal intruder

        using the laptop attempted to ping flood node MCDS, the network intrusion

        detection monitoring device stopped the flood of ping packets from reaching any

        node on segment 2. Because of the segmenting of the network, the ability of

        nodes to communicate with each other was not degraded as badly as in phase 1.

        The ping packets are not rebroadcast by the gateway to all nodes on the network.

        Consequently, the only interference is from the original ping packets from the

        laptop to node MCDS. These ping packets were numerous enough to somewhat

        degrade the operational segment nodes‟ ability to communicate over the network.

        The network intrusion detection monitoring device notified the system

        administrator via an out-of-band page. Since the network intrusion detection

        monitoring device is also a router, packets from node MCDS to node MCDW

        were sent to the router and then back to node MCDW. These packets did not

        have to go to the gateway since the router recognized the recipient as a mission

        critical segment node and directed the packets back to MCDW. The attack did

        not degrade the ability of mission critical segment nodes to communicate with

        each other.

    -   Footprint: Once again, the footprint of attack 5 was the same as in phase 1, but

        the network intrusion detection monitoring device recognized the ping flood and

        reported the attack to the system administrator. As in the above attacks, the

        administrator was able to locate the unauthorized laptop.



6) Denial of Service Attack – Smurf Attack [Rogue Outside Connect]



The Pseudo-Internal Intruder
                                                                                                72


      -   Result: The results of attack 6 were similar to those of attack 5. The first several

          pings from nodes on segment 1 were allowed through to node MCDS, but the

          network intrusion detection monitoring device prevented a large number of the

          pings through as soon as it recognized a Smurf ping flood attack. Additionally,

          attempts to use any node on segment 2 as a Smurf relay (the node sending out a

          ping to the target) failed because the network intrusion detection monitoring

          device stopped all attempts to use those machines as Smurf relays. These

          incidents were reported to the system administrator immediately.

      -   Footprint: The footprint was the same as in phase 1, but like the previous attacks,

          the system administrator was able to use the information sent by the network

          intrusion detection monitoring device to locate the unauthorized laptop.



4.8       Summary

          Although not a large, real world distributed system, the testbed system was

sufficient to illustrate the differences between state of practice and state of art security

measures with respect to pseudo-internal intruders. The hardware that comprised the

testbed system was diverse enough to be representative of the types of devices and

machines found in a majority of distributed systems. The scalability of the testbed

system, the fact that the testbed system could be the backbone of a thousand node system,

made the testbed system representative of large real world distributed systems.

          The results of the first phase of the case study showed many of the network

related vulnerabilities still present in a distributed system with state of practice security

measures. State of practice security often does not provide internal access control for



The Pseudo-Internal Intruder
                                                                                             73


users of the network. While security measures are in place to prevent unauthorized

external access to the network, anyone inside the network perimeter can connect a device

to the network with little difficulty. Nor did the testbed system have any network traffic

control mechanisms. At no point inside the network perimeter was network traffic

examined for authenticity (from a legitimate internal node) or danger to the network

(Ping of Death packet, etc.). Lastly, state of practice security makes little effort to

monitor the internal network for intruders. Such state of practice security depends upon

network perimeter defenses to keep intruders out of the system and host based internal

intruder detection packages to detect unauthorized actions by users. After executing the

set of pseudo-internal intruder attacks, it was apparent that a pseudo-internal intruder can

do great damage by exploiting the vulnerabilities found in a distributed system with only

state of practice security.

        For the second phase, the security recommendations for combating the pseudo-

internal intruder were implemented prior to executing the set of attacks. Comparing the

results of the attacks from the two phases, it is apparent that network configuration

control and network configuration monitoring help mitigate the threat of the pseudo-

internal intruder. For each attack, the success of the attack decreased and the ability of

the system administrator to detect the footprint increased in phase 2.

        Network configuration control measures make it more difficult for pseudo-

internal intruders to access the system. Such measures also decrease the ability of

pseudo-internal intruders who do gain access to the system to gather information or do

harm to the distributed system. Network configuration monitoring mitigates the danger

of pseudo-internal intruders by promptly notifying the system administrator of intruders.



The Pseudo-Internal Intruder
                                                                                        74


The results of the case study make it clear that through network configuration control and

network configuration monitoring, system administrators can greatly decrease the

possibility of and the danger of the pseudo-internal intruder.




The Pseudo-Internal Intruder
                                                                                                75



Chapter 5: Conclusions and Future Work

5.1     Conclusions

        This thesis has defined a new access oriented intruder category: the pseudo-

internal intruder. We have defined the pseudo-internal intruder as a new distinct

category, as opposed to a subcategory, after examining it with respect to internal and

external intruders in modern distributed systems. We have examined the tools and

techniques usable by the pseudo-internal intruder as well as the danger such an intruder

represents to a distributed system. Finally, we discussed an overall strategy for defending

a distributed system against a pseudo-internal intruder and offered a case study as an

example of how that defensive strategy can be implemented.

        It is clear that others in the intrusion detection field are concerned about internal

network based attacks. Some intrusion detection system developers have started to

address the question of network intrusions. There are several network intrusion detection

systems that address the issue of intrusions via the internal network of a distributed

system, as opposed to external intrusion attempts or user account misuse. NetSTAT, an

extension of the State Transition Analysis Technique (STAT), was created because

developers realized that network attacks “may be totally invisible from the audit trail

(traditional intrusion detection) produced by the attacked host” [STA99]. Instead of

focusing on nodes, NetSTAT used the “the network and its protocols” (network

configuration) as its source of security related information [KV98]. Likewise, the ODS

router and RealSecure software package used in the case study provides a network

oriented intrusion detection system [ODS98]. There are currently multiple network

intrusion detection efforts underway including [HF98] and [MHL94], among others.

The Pseudo-Internal Intruder
                                                                                             76


        While some of these network intrusion detection systems offer very promising

results, few of the efforts made an attempt to formally define the scope of the network

based intrusion problem. The existence of these „new‟ efforts indicates an acceptance of

a „new‟ intruder problem. Any definition of this „new‟ intruder problem will aid

developers in efficiently and effectively addressing the problem.

        The pseudo-internal intruder category addresses an area of potential intrusions

that did not exist prior to the proliferation of the networked distributed system. The

pseudo-internal intruder category provides intrusion detection developers a platform on

which to understand and define the capabilities of the pseudo-internal intruder, thereby

facilitating the detection and defense against such intruders.



5.3     Future Work

        When Anderson defined the internal and external categories the principle defining

aspect of intruder threats was whether the intruder was “authorized to use the computer

system” [And80]. This thesis has argued that an additional defining aspect of intruder

threat is whether the intruder has direct access to the internal network of a system. This

additional defining aspect came into existence because of changing technology since the

early 1980s. Therefore, it is possible that technology yet to be developed or yet to

become mainstream will force a reexamination of the defining aspects of intruder threats.

Such developing technology could force the further refinement of intruder categorization,

resulting in more than three access oriented intruder categories.




The Pseudo-Internal Intruder
                                                                                         77



References
[AFV95]          Anderson, Debra, Than Frivold, and Alfonso Valdes. “Next Generation
                 Intrusion Detection Expert System (NIDES): A Summary.” SRI
                 International. May 1995.


[AKS96]          Aslam, Taimur, Ivan Krsul, and Eugene H. Spafford. “Use of A
                 Taxonomy of Security Faults.” Purdue University Technical Report,TR-
                 96-051. September 1996.


[AN96]           Abadi, Martin, and Roger Needham. “Prudent Engineering Practice for
                 Cryptographic Protocols.” IEEE Transations on Software Engineering, 22
                 (1). January 1996. 6-15.


[And80]          Anderson, James P. “Computer Security Threat Monitoring and
                 Surveillance.” James P. Anderson Co. February 1980.


[And85]          Anderson, James P. “A Unification of Computer and Network Security
                 Concepts.” IEEE Proceedings of the 1985 Symposium on Security and
                 Privacy. April 1985. 77-87.


[And93]          Anderson, Ross. “Why Cryptosystems Fail.” 1st ACM Conference on
                 Computer and Communications Security. 1993.


[Bar98]          Barnes, Bruce H. “Computer Security Research: A British Perspective.”
                 IEEE Software. IEEE Computer Society. September/October 1998. 30-
                 33.


[Bou98]          Boulander, A. “Catapults and Grappling Hooks: The Tools and
                 Techniques of Information Warfare.” IBM Systems Journal, 37(1). 1998.
                 106-114.


The Pseudo-Internal Intruder
                                                                                       78




[CH96]           Cannady, J. and J. Harrell. “A Comparative Analysis of Current Intrusion
                 Detection Technologies.” 4th Technology for Information Security
                 Conference. May 1996.


[CER94]          1994 CERT Coordination Center Annual Report.
                 http://www.cert.org/annual_rpts/cert_rpt_94.html


[CER98]          1998 CERT Coordination Center Annual Report.
                 http://www.cert.org/annual_rpts/cert_rpt_98.html


[CNE96]          “Ping of Death Averted.” CNET News.com. November 25, 1996.


[CNN99]          “E-mail Virus Threatens.” Cable News Network. March 29, 1999.


[Den83]          Denning, Dorothy E. “Protecting Public Keys and Signature Keys.”
                 Computer. IEEE Computer Society. February 1983. 27-35.


[Den87]          Denning, Dorothy E. “An Intrusion-Detection Model.” IEEE Transations
                 on Software Engineering, SE-13(2). February 1987. 222-232.


[Den99]          Denning, Dorothy E. Information Warfare and Security. Addison-
                 Wesley. 1999.


[DM98]           Dowd, Patrick W. and John T. Henry. “Network Security: It‟s Time to
                 Take It Seriously.” Computer. IEEE Computer Society. September 1998.
                 24-28.


[DV97]           Davis, B. and B. Violino. “Security: Window of Vulnerability.”
                 Information Week. March 10, 1997.



The Pseudo-Internal Intruder
                                                                                          79


[Eck85]          Eck, Wim van. “Electromagnetic Radiation from Video Display Units:
                 An Eavesdropping Risk?” Computers & Security 4. Elsevier Science
                 Publishers B.V. 1985. 269-286.


[FOL99]          Free On-Line Dictionary of Computing. 1999.
                 Http://wombat.doc.ic.ac.uk/foldoc/index.html


[GAO96]          “Information Security: Computer Attacks at Department of Defense Pose
                 Increasing Risks.” General Accounting Office Chapter Report, AIMD-96-
                 84. May 1996.


[Gri95]          Griffiths, B. “Optical Fibre Security Systems: Applications for Intrusion
                 Detection.” Glass Technology, 36(5). October 1995. 150-152.


[HF98]           Hofmeyr, Steven A. and Stephanie Forrest. “Immunizing Computer
                 Networks: Getting All the Machines in Your Network to Fight the Hacker
                 Disease.” Submitted to: 1999 IEEE Symposium on Security and Privacy.
                 November 1998.


[ISV95]          Icove, David, Karl Seger, and William VonStorch. Computer Crime: A
                 Crimefighter’s Handbook. O‟Reilly & Associates. 1995.


[IKP95]          Ilgun, Koral, Richard A. Kemmerer, and Phillip A. Porras. “State
                 Transition Analysis: A Rule-Based Intrusion Detection Approach.” IEEE
                 Transations on Software Engineering, 21(3). March 1995. 181-199.


[JS99]           Jones, Anita, and Robert Sielken. “Intrusion Detection.” University of
                 Virginia Technical Report. May 1999.




The Pseudo-Internal Intruder
                                                                                         80


[KV98]           Kemmerer, R. and G. Vigna, "NetSTAT: A network-based intrusion
                 detection approach," Proceedings of the 14th Annual Computer Security
                 Applications Conference. December 1998.


[Kor97]          Kornblum, Janet. “Microsoft Posts Another Bug Fix.” CNET News.com.
                 July 1, 1997.


[LG97]           Landwehr, Carl E. and David M. Goldschlag. “Security Issues in
                 Networks with Internet Access.” Proceedings of the IEEE, 85(12).
                 December 1997. 2034-2051.


[LS90]           Lu, Wen-Pai, and Malur K. Sundareshan. “A Model for Multilevel
                 Security in Computer Networks.” IEEE Transations on Software
                 Engineering, 16(6). June 1990. 647-659.


[Lun93]          Lunt, T.F. “A survey of Intrusion Detection Techniques.” Computer &
                 Security 12. 1993. 405-418.


[Mei99]          Meier, Garry. “Off the Record: A Survey of Top INFOSEC Execs in
                 Banking.” Electronic Trust: The Magazine of Information Security
                 Trends. Q1, 1999.


[MHL94]          Mukherjee, B., L. T. Heberlein, and K. N. Levitt. “Network Intrusion
                 Detection.” IEEE Network. May/June 1994. 26-41.


[Nes87]          Nessett, Dan M. “Factors Affecting Distributed System Security.” IEEE
                 Transations on Software Engineering, SE-13(2). February 1987. 233-
                 248.




The Pseudo-Internal Intruder
                                                                                         81


[Neu98]          Neumann, Peter G. “Security, Survivability, Risks, etc.” Invited Lecturer.
                 Department of Computer Science, University of Virginia. November 19,
                 1998.


[ODS97]          “Leading Security Companies Partner to Deliver New Class of Network
                 Security Service.” ODS Networks Press Release. September 30, 1997.


[ODS98]          “Evaluating Your Network‟s Security.” ODS Networks. April 1998.
                 Http://www.ods.com/white/whi_0004.shtml


[PCO97]          Puketza, Nicholas, Mandy Chung, and Ronald A. Olsson. “A Software
                 Platform for Testing Intrusion Detection Systems.” IEEE Software.
                 September/October 1997. 43-50.


[Pow99]          Power, Richard. “1999 CSI/FBI Computer Crime and Security Survey.”
                 Computer Security Journal, XV(2). 29-45.


[PZ+96]          Puketza, Nicholas, Kui Zhang, Mandy Chung, Biswanath Mukherjee, and
                 Ronald A. Olsson. “A Methodology for Testing Intrusion Detection
                 Systems. IEEE Transations on Software Engineering, 22(10). October
                 1996. 719-729.


[Reu98a]         “China Foils Cyber Bank Robbers.” Reuters Limited. October 22, 1998.


[Reu98b]         “Chinese Crackers Get Death.” Reuters Limited. December 28, 1998.


[Sch96]          Schneier, Bruce. Applied Cryptography, Second Edition. John Wiley &
                 Sons Inc. 1996.




The Pseudo-Internal Intruder
                                                                                        82


[Sel90]          Seline, Christopher. “Eavesdropping on the Electromagnetic Emanations
                 of Digital Equipment: The Law of Canada, England, and the United
                 States.” June 1990.


[Spa96]          Spafford, Eugene H. Security Seminar. Department of Computer Science,
                 Purdue University. January 1996.


[SRI97]          “What is NIDES?” SRI International / Computer Science Laboratory.
                 Http://www.csl.sri.com/nides/index1.html


[STA99]          “Projects: The STAT Approach.” Reliable Software Group at University
                 of California at Santa Barbara.
                 Http://www.cs.ucsb.edu/~kemm/netstat.html/projects.html


[Sun96]          Sundaram, Aurobindo. “An Introduction to Intrusion Detection.” ACM
                 Crossroads, 2(4). 1996.


[Tan96]          Tanenbaum, Andrew S. Computer Networks, Third Edition. Prentice
                 Hall. 1996.


[Win97]          Wingfield, Nick. “Hole in Windows 95, NT fixed.” CNET News.com.
                 May 12, 1997.




The Pseudo-Internal Intruder

								
To top