Security - Network Security

CS3517 Distributed Systems and Security

Lecture 22

Content

• Security issues in distributed systems• Network attack and defence

• Reading:– Anderson, chapters 6 and 21– Viega, J. (2009). The myths of security: What the

computer security industry doesn’t want you to know, O’Reilly

Distributed Systems Issues

• Concurrency, distributed updates– How to inform everyone of stolen credit card

number?• Fault tolerance

– What do we do if a credit card PIN cannot be verified due to network failure

• Naming / identity problems– E.g.: how do we know that www.amazon.com is

really Amazon and not a spam website?

Attack: Concurrency

• When the same data is used worldwide and simultaneously, how can we keep it consistent?– Propagate changes (in the right order)– Avoid deadlocks

• This is a classic distribution problem• It is much worse when malicious attackers

attempt to exploit this need for data replication / synchronisation and information exchange

Fault Tolerance

• What happens when the network or a resource (computer, database) becomes unavailable?– E.g.: local caching of key information in credit card

information systems• What happens if a person is wrongly accused of

credit card fraud?– See example in book by Anderson: a person was

arrested for allegedly using a forged credit card. The credit card was genuine, the problem was a mechanical fault in the card reader

Defence: Redundancy

• Safeguarding services locally:– Redundant arrays of storage media – duplication of data

(RAID)• Process group redundancy:

– Replication of services– Multiple copies of the system run on multiple servers

• Backup:– Store snapshots of data at regular intervals

• All these measures replicate data, which makes confidentiality much harder to maintain

Naming

• How can we trust and verify a particular name or URL?– www.pcworld.com vs. www.pcworld.co.uk– www.pcworld.com vs. www.pcwor1d.com

• Do URL, DNS, certificate providers vet applications?

• Can anyone get an ID as “Microsoft” just by filling in a form and paying 100 Pounds?

Network Security

• Security concerns arise because– Many people have access to your computer

• Some of them are thieves or hackers

– You have access to many computers world wide• Some / many of them are infected or otherwise

dangerous

Importance of Network Security

• Public standards– Intruders know more about the protocols, weaknesses are

realised quickly• Pervasive

– No need for specialist equipment for an attack• Web servers are extensible

– Can be connected to other software systems and make them vulnerable to attack

• Web clients are extensible– Plug-ins can have security flaws

• Dependence of many interconnected elements

Fundamental Threats

• Threats can be classified as– Deliberate (e.g. Hacker intrusion)

• Passive (e.g. Wire-tapping)• Active (e.g. changing value of a transaction)

– Accidental (e.g. secret message sent to wrong address)• No universally agreed classification, but:

– Denial of service – the legitimate access to a resource is deliberately impeded

– Information leakage – information disclosed to unauthorised parties– Integrity violation – data consistency is compromised– Illegitimate use – a resource is used by an unauthorised person in an

unauthorised way

Example Threats

• Packet Sniffing– Harvest personal data (e.g. username / password)

• Denial of Service– Attempt to make a computer resource unavailable for other

users• Spam

– Send out unwanted traffic to users• Phishing and Pharming

– Attempt to steal personal data• Trojans, viruses, worms, root kits

– Malicious code

Be aware of Attacks!

• Mapping: attackers try to find out what services are implemented before an attack– Use ping to identify hosts– Use port scanner

• to establish TCP connections• Probe for known weaknesses – e.g. very long

passwords crash some FTP servers

– Tools: nmap (nmap.org) mapper: “network exploration and security auditing”

• Legitimate use by sys admins for network management

Be aware of Attacks!

• Mapping: Protection– Record traffic entering network– Look for suspicious activity

• IP addresses being pinged• Ports being scanned sequentially

• Many firewalls detect mapping activities

Be aware of Attacks!• Packet Sniffing

– Used by sys admin to detect bottlenecks and other problems in a network

– They work by catching particular sequences of data transmitted over the network

– Could be used to siphon off sensitive data, e.g. detecting logins

– Example: host B sniffs B’s packetsA

B

C

src:B dest:A payload

Sniffers: Protection

• All hosts in organisation run software that checks periodically if host interface in “promiscuous mode”

• How can we protect ourselves?• SSH, not Telnet (but only if sys admin implements

this service)• HTTP over SSL (https)• SFTP, not FTP

– Unless, you really don’t care about the password or data

Denial of Service

• Designed to prevent or degrade a host’s quality of a service

• Is done by– Sending TCP packets larger than 65536 bytes (maximum) to

crash a host – “Ping of Death”– Produce packets with contradictory TCP header

information, which crash the host attempting to reassemble them (“Teardrop”)

– SYN flooding– SMURF– Distributed attacks

Denial of Service: Protection

• Ingress filtering– Network ingress filtering is a packet filtering technique used

by many Internet service providers to try to block network packets with spoofed sender IP

– All connected networks are known, therefore also the range of possible source IP addresses

– If the source IP of a packet is outside this range, then drop it– Stay on top of CERT advisories and the latest security

patches• E.g. A fix for the Microsoft IIS buffer overflow was released 16 days

before Code Red!

Spoofing• IP address spoofing or IP spoofing refers to the creation of

Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system

• Intruder uses a computer to masquerade as another trusted host – e.g. the computer pretends to have the IP address of the host

• Example:– C pretends to be B

A

B

C

src:B dest:A payload

Spoofing

• IP spoofing is most frequently used in denial-of-service attacks– In such attacks, the goal is to flood the victim with overwhelming

amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks.

• IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. – users can log in without a username or password provided they are

connecting from another machine on an internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machines without an authentication

Spoofing: Protection

• Ingress filtering:– blocking of packets from outside the network with a source

address inside the network. This prevents an outside attacker spoofing the address of an internal machine.

• Egress filtering:– blocking of packets from inside the network with a source

address that is not inside. This prevents an attacker within the network from launching IP spoofing attacks against external machines

• routers should not forward outgoing packets with invalid source addresses

– E.g. Datagram source address not in router’s network

Intrusion Detection / Prevention

• Put a computer on the network that looks at all traffic– IDS tells you that the network is being attacked– IPS drops packets from attacker automatically

• Not just ingress filtering that can detect problems from compromised hosts within network

• Examples:– More than three failed logons from same IP address– A longer than six hour phone call– Credit card expenditure of more than twice the moving

average of the last three months

Worms and Viruses

• Worm: self-propagating “malware”, can run itself• Virus: worm that replicates by attaching itself to

other programs• Data virus – e.g. a Word macro virus, which can

affect the way the program operates and copy itself to new documents

• Email viruses may use popular clients (e.g. MS) to propagate through the use of address books

Trojan Horses

• A seemingly innocent application can hide a Trojan horse

• The application is supposed to perform a useful function – e.g. a file compression / decompression utility

• It actually does nasty things when installed – e.g. deletes essential Operating System files

• More likely not to be so obvious – e.g. installs a root kit to provide remote access to machine

Root Kit• Malware (spyware, Trojans) that hides its presence

from spyware blockers, antivirus and system management utilities

• “Root Kit”: comes from “root” (the administrator account under Unix) and “kit” (a set of software tools)

• Attackers try to get “root” access to a system in order to install a root kit, with that it gets full control of a system– Root kit: set of admin tools replaced by malicious versions

• Continues to operate in a hidden fashion

Anti-Virus

• Designed to detect all kinds of malware– Spyware, adware, bot net software, worms, etc.

• Consists of a generic engine that operates with DATs (data files)– DATs contain signatures of binary files known to be

malware• Detects suspected malware through fast

pattern matching

Pharming

• Attackers hijack or poison DNS servers• Users are redirected to the attacker’s website• User thinks he is at www.lloydstsb.com, but he

is actually at the attackers’ web site• Attackers steal user personal data (e.g. bank

details)

Spam

• Named after a Monty Python sketch– Something that is repeated and repeated to great

annoyance: “Spam spam spam spam ... Wonderful spam!”• A scam used to “help” the annual US green card

lottery in 1994 led to the wide use of the term “spam”• Other notorious scams

– “Advance fee fraud” (e.g. “419” Nigerian scam) – typically conducted by “spam gangs” throughout the world

• Most email spam is “direct marketing” with ~80% being pharmacy-related

Phishing

• Definition: attempting to steal passwords or other sensitive information by posing as a trustworthy website

• Around 2.3% of spam relates to phishing attacks• Probably the biggest concern for security industry today• Banks are typical targets• Phishing analogous to fishing

– C. Herley and D. Florencio. (2008). A profitless endeavour: Phishing as tragedy of the commons. In Proceedings of the 2008 Workshop on new security paradigms

Routers and Internet Security

• Organisations are keen to use the Internet – how can they protect themselves from such attacks?

• Routers, being gateways, play a central role in internet security– Gates can be locked and guarded

• A router can be configured to allow specific connection requests to pass, while blocking all others– Such a router is configured as a firewall

Firewalls

• Capabilities are to allow / block – connections via specific ports– The use of specific protocols– Connections from specific domains

• Example:– Organisations commonly employ firewalls to allow HTTP

access on port 80, but block telnet access on port 23• Companies such as 3Com and Cisco market internet

technology to organisations, emphasising security features

Intranet

• The term intranet refers to internal protected organisation-wide internets– Protected from the public internet by firewalls, or

not connected at all• Many large organisations use them (e.g. to

screen against email virus attacks)

PrivateIntranet

PublicInternet

Firewall Gateway

Extranets

• Companies wish to create secure internet links with partner companies – suppliers & customers – essentially to connect their intranets and allow secure electronic data interchange (EDI)

• This leads to a new marketing term: extranet – an “internet of intranets” with the key feature that specific EDI, transaction and security standards are used

Web Services

• Recent Development: XML-based standards for electronic data interchange within extranets have emerged– E.g.: company sells car parts to automobile manufacture, uses

XML schema or OWL to represent ontology for the specification of those parts

• Web Services allow Remote Method Invocation (RMI) over HTTP– Use SOAP messaging, WSDL specs for describing remote

methods– Usually port 80 is open on firewalls – web service calls use

HTTP protocol

Cloud Computing

• Outsourcing of the Intranet / Extranet– Local management overhead (with coordination and

establishment of exchange protocols) can be managed by a third-party provider

• Has led to the use of Cloud Computing to provide various services:– Software: email, document sharing, word processing– Infrastructure: workflow among companies– Platforms: develop infrastructure / software for

others

Infrastructure

• With outsourcing, there is decreasing need for complex infrastructures to be developed / maintained in-house

• But do you trust your service provider ?

ExternalGateway

MailServer

FTPServer

WebServer

InternalGateway

InternetTraffic

SafeTraffic

IntranetInternet

Defence Strategy

• For sys admin, these are things to consider– Management: keep your systems up-to-date and configured in ways

that will minimise the attack surface– Understanding: understand your systems (e.g. use mapping

software); understand your users (e.g. need for remote logins?)– Training: train staff (technical / non-technical) on how not to expose

systems or their personal information– Filtering: use appropriately configured firewalls, NAT (Network

Address Translation) routers, and other such devices– Intrusion detection: monitoring your networks for signs of suspicious

behaviour (but consider whether / how this is viable)– Encryption: require the use of protocols such as SSH, SFTP (and turn

off telnet, ftp)

Configuration Management

• Install security patches• Know what is in configuration files• Disable default passwords• Disable unneeded features• Auditing and logging• Properly set up firewalls, virus checkers, etc• Use vulnerability checking tools

Learn about Vulnerabilities

• Monitor websites– US-CERT advisory (us-cert.gov), McAfee, etc.

• Operating system updates (often automated)– Microsoft, Apple, Linux

• Don’t let hackers find out about vulnerabilities and develop exploits before you have mitigated the risks!

Defence in Depth

• A combination of layers is much more effective than single layer– Attacker has to penetrate all of them

• Relying on a single layer (e.g. Firewall) exceedingly dangerous– Especially since you know it will have some

weaknesses!

Defence in Depth

• First layer: filtering traffic using firewall• Second layer: good sys admin

– Only enable / install what is needed– Avoid to be too restrictive – people will find ways around

unreasonably constrained environment• Third layer: good access control

– Minimise damage if hacker gets in• Fourth layer: secure applications

– Secure programming: well designed, well tested, worse-case scenarios, etc.

• Fifth layer: intrusion detection