security - network security cs3517 distributed systems and security lecture 22
TRANSCRIPT
Security - Network Security
CS3517 Distributed Systems and Security
Lecture 22
Content
• Security issues in distributed systems• Network attack and defence
• Reading:– Anderson, chapters 6 and 21– Viega, J. (2009). The myths of security: What the
computer security industry doesn’t want you to know, O’Reilly
Distributed Systems Issues
• Concurrency, distributed updates– How to inform everyone of stolen credit card
number?• Fault tolerance
– What do we do if a credit card PIN cannot be verified due to network failure
• Naming / identity problems– E.g.: how do we know that www.amazon.com is
really Amazon and not a spam website?
Attack: Concurrency
• When the same data is used worldwide and simultaneously, how can we keep it consistent?– Propagate changes (in the right order)– Avoid deadlocks
• This is a classic distribution problem• It is much worse when malicious attackers
attempt to exploit this need for data replication / synchronisation and information exchange
Fault Tolerance
• What happens when the network or a resource (computer, database) becomes unavailable?– E.g.: local caching of key information in credit card
information systems• What happens if a person is wrongly accused of
credit card fraud?– See example in book by Anderson: a person was
arrested for allegedly using a forged credit card. The credit card was genuine, the problem was a mechanical fault in the card reader
Defence: Redundancy
• Safeguarding services locally:– Redundant arrays of storage media – duplication of data
(RAID)• Process group redundancy:
– Replication of services– Multiple copies of the system run on multiple servers
• Backup:– Store snapshots of data at regular intervals
• All these measures replicate data, which makes confidentiality much harder to maintain
Naming
• How can we trust and verify a particular name or URL?– www.pcworld.com vs. www.pcworld.co.uk– www.pcworld.com vs. www.pcwor1d.com
• Do URL, DNS, certificate providers vet applications?
• Can anyone get an ID as “Microsoft” just by filling in a form and paying 100 Pounds?
Network Security
• Security concerns arise because– Many people have access to your computer
• Some of them are thieves or hackers
– You have access to many computers world wide• Some / many of them are infected or otherwise
dangerous
Importance of Network Security
• Public standards– Intruders know more about the protocols, weaknesses are
realised quickly• Pervasive
– No need for specialist equipment for an attack• Web servers are extensible
– Can be connected to other software systems and make them vulnerable to attack
• Web clients are extensible– Plug-ins can have security flaws
• Dependence of many interconnected elements
Fundamental Threats
• Threats can be classified as– Deliberate (e.g. Hacker intrusion)
• Passive (e.g. Wire-tapping)• Active (e.g. changing value of a transaction)
– Accidental (e.g. secret message sent to wrong address)• No universally agreed classification, but:
– Denial of service – the legitimate access to a resource is deliberately impeded
– Information leakage – information disclosed to unauthorised parties– Integrity violation – data consistency is compromised– Illegitimate use – a resource is used by an unauthorised person in an
unauthorised way
Example Threats
• Packet Sniffing– Harvest personal data (e.g. username / password)
• Denial of Service– Attempt to make a computer resource unavailable for other
users• Spam
– Send out unwanted traffic to users• Phishing and Pharming
– Attempt to steal personal data• Trojans, viruses, worms, root kits
– Malicious code
Be aware of Attacks!
• Mapping: attackers try to find out what services are implemented before an attack– Use ping to identify hosts– Use port scanner
• to establish TCP connections• Probe for known weaknesses – e.g. very long
passwords crash some FTP servers
– Tools: nmap (nmap.org) mapper: “network exploration and security auditing”
• Legitimate use by sys admins for network management
Be aware of Attacks!
• Mapping: Protection– Record traffic entering network– Look for suspicious activity
• IP addresses being pinged• Ports being scanned sequentially
• Many firewalls detect mapping activities
Be aware of Attacks!• Packet Sniffing
– Used by sys admin to detect bottlenecks and other problems in a network
– They work by catching particular sequences of data transmitted over the network
– Could be used to siphon off sensitive data, e.g. detecting logins
– Example: host B sniffs B’s packetsA
B
C
src:B dest:A payload
Sniffers: Protection
• All hosts in organisation run software that checks periodically if host interface in “promiscuous mode”
• How can we protect ourselves?• SSH, not Telnet (but only if sys admin implements
this service)• HTTP over SSL (https)• SFTP, not FTP
– Unless, you really don’t care about the password or data
Denial of Service
• Designed to prevent or degrade a host’s quality of a service
• Is done by– Sending TCP packets larger than 65536 bytes (maximum) to
crash a host – “Ping of Death”– Produce packets with contradictory TCP header
information, which crash the host attempting to reassemble them (“Teardrop”)
– SYN flooding– SMURF– Distributed attacks
Denial of Service: Protection
• Ingress filtering– Network ingress filtering is a packet filtering technique used
by many Internet service providers to try to block network packets with spoofed sender IP
– All connected networks are known, therefore also the range of possible source IP addresses
– If the source IP of a packet is outside this range, then drop it– Stay on top of CERT advisories and the latest security
patches• E.g. A fix for the Microsoft IIS buffer overflow was released 16 days
before Code Red!
Spoofing• IP address spoofing or IP spoofing refers to the creation of
Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system
• Intruder uses a computer to masquerade as another trusted host – e.g. the computer pretends to have the IP address of the host
• Example:– C pretends to be B
A
B
C
src:B dest:A payload
Spoofing
• IP spoofing is most frequently used in denial-of-service attacks– In such attacks, the goal is to flood the victim with overwhelming
amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks.
• IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. – users can log in without a username or password provided they are
connecting from another machine on an internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machines without an authentication
Spoofing: Protection
• Ingress filtering:– blocking of packets from outside the network with a source
address inside the network. This prevents an outside attacker spoofing the address of an internal machine.
• Egress filtering:– blocking of packets from inside the network with a source
address that is not inside. This prevents an attacker within the network from launching IP spoofing attacks against external machines
• routers should not forward outgoing packets with invalid source addresses
– E.g. Datagram source address not in router’s network
Intrusion Detection / Prevention
• Put a computer on the network that looks at all traffic– IDS tells you that the network is being attacked– IPS drops packets from attacker automatically
• Not just ingress filtering that can detect problems from compromised hosts within network
• Examples:– More than three failed logons from same IP address– A longer than six hour phone call– Credit card expenditure of more than twice the moving
average of the last three months
Worms and Viruses
• Worm: self-propagating “malware”, can run itself• Virus: worm that replicates by attaching itself to
other programs• Data virus – e.g. a Word macro virus, which can
affect the way the program operates and copy itself to new documents
• Email viruses may use popular clients (e.g. MS) to propagate through the use of address books
Trojan Horses
• A seemingly innocent application can hide a Trojan horse
• The application is supposed to perform a useful function – e.g. a file compression / decompression utility
• It actually does nasty things when installed – e.g. deletes essential Operating System files
• More likely not to be so obvious – e.g. installs a root kit to provide remote access to machine
Root Kit• Malware (spyware, Trojans) that hides its presence
from spyware blockers, antivirus and system management utilities
• “Root Kit”: comes from “root” (the administrator account under Unix) and “kit” (a set of software tools)
• Attackers try to get “root” access to a system in order to install a root kit, with that it gets full control of a system– Root kit: set of admin tools replaced by malicious versions
• Continues to operate in a hidden fashion
Anti-Virus
• Designed to detect all kinds of malware– Spyware, adware, bot net software, worms, etc.
• Consists of a generic engine that operates with DATs (data files)– DATs contain signatures of binary files known to be
malware• Detects suspected malware through fast
pattern matching
Pharming
• Attackers hijack or poison DNS servers• Users are redirected to the attacker’s website• User thinks he is at www.lloydstsb.com, but he
is actually at the attackers’ web site• Attackers steal user personal data (e.g. bank
details)
Spam
• Named after a Monty Python sketch– Something that is repeated and repeated to great
annoyance: “Spam spam spam spam ... Wonderful spam!”• A scam used to “help” the annual US green card
lottery in 1994 led to the wide use of the term “spam”• Other notorious scams
– “Advance fee fraud” (e.g. “419” Nigerian scam) – typically conducted by “spam gangs” throughout the world
• Most email spam is “direct marketing” with ~80% being pharmacy-related
Phishing
• Definition: attempting to steal passwords or other sensitive information by posing as a trustworthy website
• Around 2.3% of spam relates to phishing attacks• Probably the biggest concern for security industry today• Banks are typical targets• Phishing analogous to fishing
– C. Herley and D. Florencio. (2008). A profitless endeavour: Phishing as tragedy of the commons. In Proceedings of the 2008 Workshop on new security paradigms
Routers and Internet Security
• Organisations are keen to use the Internet – how can they protect themselves from such attacks?
• Routers, being gateways, play a central role in internet security– Gates can be locked and guarded
• A router can be configured to allow specific connection requests to pass, while blocking all others– Such a router is configured as a firewall
Firewalls
• Capabilities are to allow / block – connections via specific ports– The use of specific protocols– Connections from specific domains
• Example:– Organisations commonly employ firewalls to allow HTTP
access on port 80, but block telnet access on port 23• Companies such as 3Com and Cisco market internet
technology to organisations, emphasising security features
Intranet
• The term intranet refers to internal protected organisation-wide internets– Protected from the public internet by firewalls, or
not connected at all• Many large organisations use them (e.g. to
screen against email virus attacks)
PrivateIntranet
PublicInternet
Firewall Gateway
Extranets
• Companies wish to create secure internet links with partner companies – suppliers & customers – essentially to connect their intranets and allow secure electronic data interchange (EDI)
• This leads to a new marketing term: extranet – an “internet of intranets” with the key feature that specific EDI, transaction and security standards are used
Web Services
• Recent Development: XML-based standards for electronic data interchange within extranets have emerged– E.g.: company sells car parts to automobile manufacture, uses
XML schema or OWL to represent ontology for the specification of those parts
• Web Services allow Remote Method Invocation (RMI) over HTTP– Use SOAP messaging, WSDL specs for describing remote
methods– Usually port 80 is open on firewalls – web service calls use
HTTP protocol
Cloud Computing
• Outsourcing of the Intranet / Extranet– Local management overhead (with coordination and
establishment of exchange protocols) can be managed by a third-party provider
• Has led to the use of Cloud Computing to provide various services:– Software: email, document sharing, word processing– Infrastructure: workflow among companies– Platforms: develop infrastructure / software for
others
Infrastructure
• With outsourcing, there is decreasing need for complex infrastructures to be developed / maintained in-house
• But do you trust your service provider ?
ExternalGateway
MailServer
FTPServer
WebServer
InternalGateway
InternetTraffic
SafeTraffic
IntranetInternet
Defence Strategy
• For sys admin, these are things to consider– Management: keep your systems up-to-date and configured in ways
that will minimise the attack surface– Understanding: understand your systems (e.g. use mapping
software); understand your users (e.g. need for remote logins?)– Training: train staff (technical / non-technical) on how not to expose
systems or their personal information– Filtering: use appropriately configured firewalls, NAT (Network
Address Translation) routers, and other such devices– Intrusion detection: monitoring your networks for signs of suspicious
behaviour (but consider whether / how this is viable)– Encryption: require the use of protocols such as SSH, SFTP (and turn
off telnet, ftp)
Configuration Management
• Install security patches• Know what is in configuration files• Disable default passwords• Disable unneeded features• Auditing and logging• Properly set up firewalls, virus checkers, etc• Use vulnerability checking tools
Learn about Vulnerabilities
• Monitor websites– US-CERT advisory (us-cert.gov), McAfee, etc.
• Operating system updates (often automated)– Microsoft, Apple, Linux
• Don’t let hackers find out about vulnerabilities and develop exploits before you have mitigated the risks!
Defence in Depth
• A combination of layers is much more effective than single layer– Attacker has to penetrate all of them
• Relying on a single layer (e.g. Firewall) exceedingly dangerous– Especially since you know it will have some
weaknesses!
Defence in Depth
• First layer: filtering traffic using firewall• Second layer: good sys admin
– Only enable / install what is needed– Avoid to be too restrictive – people will find ways around
unreasonably constrained environment• Third layer: good access control
– Minimise damage if hacker gets in• Fourth layer: secure applications
– Secure programming: well designed, well tested, worse-case scenarios, etc.
• Fifth layer: intrusion detection