Network Security Concepts Raj Jain Washington University in Saint Louis Saint Louis MO 63130 Jain cse wustl edu These slides are available on line at http www cse wustl edu jain cse571 07 Washington University in St Louis CSE571S 2 1 2007 Raj Jain Overview 1 2 3 4 5 6 7 Security Components and Threats Security Policy and Issues Types of Malware and Attacks Security Mechanisms Network Security Audit The Orange Book Legal Issues Washington University in St Louis CSE571S 2 2 2007 Raj Jain Security Components Confidentiality Need access control Cryptography Existence of data Integrity No change content source prevention mechanisms detection mechanisms Availability Denial of service attacks Confidentiality Integrity and Availability CIA Washington University in St Louis CSE571S 2 3 2007 Raj Jain Threats Disclosure alteration and denial DAD Disclosure or unauthorized access snooping passive wiretapping Deception or acceptance of false data active wiretapping data modified man in the middle attack Masquerading or spoofing impersonation repudiation of origin denying sending denial of receipt Disruption or prevention of correct operation Usurpation or unauthorized control of some part of a system Delay Infinite delay Denial of service Washington University in St Louis CSE571S 2 4 2007 Raj Jain Security Policy Statement of what is and what is not allowed Security Mechanism Method tool or procedure for enforcing a security policy Washington University in St Louis CSE571S 2 5 2007 Raj Jain Elements of Network Security Policy 1 Purchasing guidelines Required security features 2 Privacy Policy files emails keystrokes 3 Access Policy Connecting to external systems installing new software 4 Accountability Policy Responsibilities of users staff management Audit capability 5 Authentication Policy password policy 6 Availability statement redundancy and recovery issues 7 Maintenance Policy Remote maintenance How 8 Violations Reporting Policy What and to whom 9 Supporting Information Contact information handling outside queries laws Ref RFC 2196 Washington University in St Louis CSE571S 2 6 2007 Raj Jain Security Issues Goals Prevention Detection Recovery Assurance Assurance requires detailed specs of desired undesired behavior analysis of design of hardware software and arguments or proofs that the implementation operating procedures and maintenance procedures work Operational Issues Benefits of protection vs cost of designing implementing using the mechanisms Risk Analysis Likelihood of potential threats Laws No export of cryptography from USA until 2000 Sys Admins can t read user s file without permission Customs DNA samples for authentication SSN as passwords Organizational Priorities Security not important until an incident People Problems Insider attacks Washington University in St Louis CSE571S 2 7 2007 Raj Jain Steps in Cracking a Network Information Gathering Public sources tools Port Scanning Find open TCP ports Network Enumeration Map the network Servers and workstations Routers switches firewalls Gaining Access Keeping root administrator access Modifying Using access and modifying information Leaving a backdoor To return at a later date Covering tracks Washington University in St Louis CSE571S 2 8 2007 Raj Jain Hacker Categories Hacker Cleaver programmer Cracker Illegal hacker Script Kiddies Starting hacker May not target a specific system Rely on tools written by others White Hat Hackers Good guys Very knowledgeable Hired to find a vulnerability in a network Write own software Black Hat Hackers Bad guys Desire to cause harm to a specific system Write own software Cyber terrorists Motivated by political religious or philosophical agenda Washington University in St Louis CSE571S 2 9 2007 Raj Jain Types of Malware Viruses Code that attaches itself to programs disks or memory to propagate itself Worms Installs copies of itself on other machines on a network e g by finding user names and passwords Trojan horses Pretend to be a utility Convince users to install on PC Spyware Collect personal information Hoax Use emotion to propagate e g child s last wish Trap Door Undocumented entry point for debugging purposes Logic Bomb Instructions that trigger on some event in the future Zombie Malicious instructions that can be triggered remotely The attacks seem to come from other victims Washington University in St Louis CSE571S 2 10 2007 Raj Jain History of Security Attacks Washington University in St Louis CSE571S 2 11 2007 Raj Jain Brief History of Malware Washington University in St Louis CSE571S 2 12 2007 Raj Jain Types of Virus Boot sector virus Macro virus Email malware Web site malware JavaScripts Washington University in St Louis CSE571S 2 13 2007 Raj Jain Types of Attacks Denial of Service DoS Flooding with traffic requests Buffer Overflows Error in system programs Allows hacker to insert his code in to a program Malware Brute Force Try all passwords Port Scanning Disable unnecessary services and close ports Network Mapping Washington University in St Louis CSE571S 2 14 2007 Raj Jain Root Kits Hide by placing themselves between calls to system routines and lower layers of operating system When a program makes a system call the root kit intercepts the call and either passes it to the system handles the call itself or drops the call Allow hacker to enter a system at any time See rootkit com Washington University in St Louis CSE571S 2 15 2007 Raj Jain Buffer Overflows Return address are saved on the top of stack Parameters are then saved on the stack Writing data on stack causes stack overflow Return the program control to a code segment written by the hacker Washington University in St Louis CSE571S 2 16 2007 Raj Jain Distributed DoS Attacks Tribe Flood Network TFN clients are installed on compromised hosts All clients start a simultaneous DoS attack on a victim on a trigger from the attacker Trinoo attack works similarly Use UDP packets Trinoo client report to Trinoo master when the system comes up Stacheldraht uses handlers on compromised hosts to receive encrypted commands from the attacker Washington University in St Louis CSE571S 2 17 2007 Raj Jain Social Engineering Reverse social engineering User is persuaded to ask Hacker for help Phone calls Call from tech support to update the system High level VP calling in emergency Requires employee training Electronic Social Engineering Phishing EBay transactions PayPal Accounts Bank Account Nigerian 419 scams Section 419 of Nigerian criminal