Network Security

1
A Brief History of the World

2
Overview

15-441 Networks Fall 2002

• What is security?
• Why do we need security?
• Who is vulnerable?
• Common security attacks and countermeasures
• Firewalls & Intrusion Detection Systems
• Denial of Service Attacks
• TCP Attacks
• Packet Sniffing
• Social Problems
3
What is “Security”

15-441 Networks Fall 2002

• Dictionary.com says:
• 1. Freedom from risk or danger; safety.
• 2. Freedom from doubt, anxiety, or fear; confidence.
• 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building
security if a visitor acts suspicious.
• 2. Measures adopted by a government to prevent espionage,
sabotage, or attack.
• 3. Measures adopted, as by a business or homeowner, to
prevent a crime such as burglary or assault: Security was lax
at the firm's smaller plant.
…etc.
4
What is “Security”

15-441 Networks Fall 2002

• Dictionary.com says:
• 1. Freedom from risk or danger; safety.
• 2. Freedom from doubt, anxiety, or fear; confidence.
• 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building
security if a visitor acts suspicious.
• 2. Measures adopted by a government to prevent espionage,
sabotage, or attack.
• 3. Measures adopted, as by a business or homeowner, to
prevent a crime such as burglary or assault: Security was lax
at the firm's smaller plant.
…etc.
5
What is “Security”

15-441 Networks Fall 2002

• Dictionary.com says:
• 1. Freedom from risk or danger; safety.
• 2. Freedom from doubt, anxiety, or fear; confidence.
• 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building
security if a visitor acts suspicious.
• 2. Measures adopted by a government to prevent espionage,
sabotage, or attack.
• 3. Measures adopted, as by a business or homeowner, to
prevent a crime such as burglary or assault: Security was lax
at the firm's smaller plant.
…etc.
6
What is “Security”

15-441 Networks Fall 2002

• Dictionary.com says:
• 1. Freedom from risk or danger; safety.
• 2. Freedom from doubt, anxiety, or fear; confidence.
• 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building
security if a visitor acts suspicious.
• 2. Measures adopted by a government to prevent espionage,
sabotage, or attack.
• 3. Measures adopted, as by a business or homeowner, to
prevent a crime such as burglary or assault: Security was lax
at the firm's smaller plant.
…etc.
7
Why do we need security?

15-441 Networks Fall 2002

• Protect vital information while still allowing access to those
who need it
• Trade secrets, medical records, etc.
• Provide authentication and access control for resources
• Ex: AFS
• Guarantee availability of resources
• Ex: 5 9’s (99.999% reliability)

8
Who is vulnerable?

15-441 Networks Fall 2002

• Financial institutions and banks
• Internet service providers
• Pharmaceutical companies
• Government and defense agencies
• Contractors to various government agencies
• Multinational corporations
• ANYONE ON THE NETWORK

9
Common security attacks and
their countermeasures

15-441 Networks Fall 2002

• Finding a way into the network
• Firewalls
• Exploiting software bugs, buffer overflows
• Intrusion Detection Systems
• Denial of Service
• Ingress filtering, IDS
• TCP hijacking
• IPSec
• Packet sniffing
• Encryption (SSH, SSL, HTTPS)
• Social problems
• Education 10
Firewalls

15-441 Networks Fall 2002

• Basic problem – many network applications and protocols
have security problems that are fixed over time
• Difficult for users to keep up with changes and keep host secure
• Solution
• Administrators limit access to end hosts by using a firewall
• Firewall is kept up-to-date by administrators

11
Firewalls

15-441 Networks Fall 2002

• A firewall is like a castle with a drawbridge
• Only one point of access into the network
• This can be good or bad
• Can be hardware or software
• Ex. Some routers come with firewall functionality
• ipfw, ipchains, pf on Unix systems, Windows XP and Mac OS X
have built in firewalls

12
Firewalls

15-441 Networks Fall 2002

Internet DMZ
Web server, email
server, web proxy,
etc
Firewall

Firewall
Intranet
13
Firewalls

15-441 Networks Fall 2002

• Used to filter packets based on a combination of
features
• These are called packet filtering firewalls
• There are other types too, but they will not be discussed
• Ex. Drop packets with destination port of 23 (Telnet)
• Can use any combination of IP/UDP/TCP header
information
• man ipfw on unix47 for much more detail
• But why don’t we just turn Telnet off?
14
Firewalls

15-441 Networks Fall 2002

• Here is what a computer with a default Windows XP install
looks like:
• 135/tcp open loc-srv
• 139/tcp open netbios-ssn
• 445/tcp open microsoft-ds
• 1025/tcp open NFS-or-IIS
• 3389/tcp open ms-term-serv
• 5000/tcp open UPnP
• Might need some of these services, or might not be able to
control all the machines on the network

15
Firewalls

15-441 Networks Fall 2002

• What does a firewall rule look like?
• Depends on the firewall used
• Example: ipfw
• /sbin/ipfw add deny tcp from
cracker.evil.org to wolf.tambov.su telnet
• Other examples: WinXP & Mac OS X have built in and third
party firewalls
• Different graphical user interfaces
• Varying amounts of complexity and power

16
Intrusion Detection

15-441 Networks Fall 2002

• Used to monitor for “suspicious activity” on a network
• Can protect against known software exploits, like buffer
overflows
• Open Source IDS: Snort, www.snort.org

17
Intrusion Detection

15-441 Networks Fall 2002

• Uses “intrusion signatures”
• Well known patterns of behavior
• Ping sweeps, port scanning, web server indexing, OS
fingerprinting, DoS attempts, etc.
• Example
• IRIX vulnerability in webdist.cgi
• Can make a rule to drop packets containing the line
• “/cgi-bin/webdist.cgi?distloc=?;cat%20/etc/passwd”

• However, IDS is only useful if contingency plans

are in place to curb attacks as they are occurring
18
Minor Detour…

15-441 Networks Fall 2002

• Say we got the /etc/passwd file from the IRIX server
• What can we do with it?

19
Dictionary Attack

15-441 Networks Fall 2002

• We can run a dictionary attack on the passwords
• The passwords in /etc/passwd are encrypted with the
crypt(3) function (one-way hash)
• Can take a dictionary of words, crypt() them all, and
compare with the hashed passwords
• This is why your passwords should be
meaningless random junk!
• For example, “sdfo839f” is a good password
• That is not my andrew password
• Please don’t try it either
20
Denial of Service

15-441 Networks Fall 2002

• Purpose: Make a network service unusable, usually by
overloading the server or network
• Many different kinds of DoS attacks
• SYN flooding
• SMURF
• Distributed attacks
• Mini Case Study: Code-Red

21
Denial of Service

15-441 Networks Fall 2002

• SYN flooding attack
• Send SYN packets with bogus source address
• Why?
• Server responds with SYN ACK and keeps state
about TCP half-open connection
• Eventually, server memory is exhausted with this state
• Solution: use “SYN cookies”
• In response to a SYN, create a special “cookie” for the
connection, and forget everything else
• Then, can recreate the forgotten information when
the ACK comes in from a legitimate connection 22
Denial of Service

15-441 Networks Fall 2002

• SMURF
• Source IP address of a broadcast ping is forged
• Large number of machines respond back to victim, overloading it

23
Denial of Service

15-441 Networks Fall 2002

IC M P echo (spoofed source address of victim )
S ent to IP broadcast address
IC M P echo reply

Internet

P erpetrator V ictim

24
Denial of Service

15-441 Networks Fall 2002

• Distributed Denial of Service
• Same techniques as regular DoS, but on a much larger
scale
• Example: Sub7Server Trojan and IRC bots
• Infect a large number of machines with a “zombie” program
• Zombie program logs into an IRC channel and awaits
commands
• Example:
• Bot command: !p4 207.71.92.193
• Result: runs ping.exe 207.71.92.193 -l 65500 -n 10000
• Sends 10,000 64k packets to the host (655MB!)
• Read more at: http://grc.com/dos/grcdos.htm 25
Denial of Service

15-441 Networks Fall 2002

• Mini Case Study – CodeRed
• July 19, 2001: over 359,000 computers infected with Code-Red in
less than 14 hours
• Used a recently known buffer exploit in Microsoft IIS
• Damages estimated in excess of $2.6 billion

26
Denial of Service

15-441 Networks Fall 2002

• Why is this under the Denial of Service category?
• CodeRed launched a DDOS attack against www1.whitehouse.gov
from the 20th to the 28th of every month!
• Spent the rest of its time infecting other hosts

27
Denial of Service

15-441 Networks Fall 2002

• How can we protect ourselves?
• Ingress filtering
• If the source IP of a packet comes in on an interface which does not
have a route to that packet, then drop it
• RFC 2267 has more information about this
• Stay on top of CERT advisories and the latest security patches
• A fix for the IIS buffer overflow was released sixteen days before
CodeRed had been deployed!

28