Professional Documents
Culture Documents
Intruder Intrusiondetectionsystem
Virusandrelatedthreats Countermeasures
FirewallsdesignprinciplesTrustedsystems
Practicalimplementationofcryptography
andsecurity
Slides CourtesyofWilliamStallings,Cryptography&NetworkSecurity,PearsonEducation,4thEdition
Chapter1Intruders
Intrusiondetectionsystem
Intruders
significantissuefornetworkedsystemsis
hostileorunwantedaccess
eithervianetworkorlocal
canidentifyclassesofintruders:
masquerader
misfeasor
clandestineuser
varyinglevelsofcompetence
Intruders
clearlyagrowingpublicizedproblem
fromWilyHackerin1986/87
toclearlyescalatingCERTstats
mayseembenign,butstillcostresources
mayusecompromisedsystemtolaunchother
attacks
awarenessofintrudershasledtothe
developmentofCERTs
IntrusionTechniques
aimtogainaccessand/orincreaseprivileges
onasystem
basicattackmethodology
targetacquisitionandinformationgathering
initialaccess
privilegeescalation
coveringtracks
keygoaloftenistoacquirepasswords
sothenexerciseaccessrightsofowner
PasswordGuessing
oneofthemostcommonattacks
attackerknowsalogin(fromemail/webpageetc)
thenattemptstoguesspasswordforit
defaults,shortpasswords,commonwordsearches
userinfo(variationsonnames,birthday,phone,common
words/interests)
exhaustivelysearchingallpossiblepasswords
checkbyloginoragainststolenpasswordfile
successdependsonpasswordchosenbyuser
surveysshowmanyuserschoosepoorly
PasswordCapture
anotherattackinvolvespasswordcapture
watchingovershoulderaspasswordisentered
usingatrojanhorseprogramtocollect
monitoringaninsecurenetworklogin
eg.telnet,FTP,web,email
extractingrecordedinfoaftersuccessfullogin(web
history/cache,lastnumberdialedetc)
usingvalidlogin/passwordcanimpersonateuser
usersneedtobeeducatedtousesuitable
precautions/countermeasures
IntrusionDetection
inevitablywillhavesecurityfailures
soneedalsotodetectintrusionssocan
blockifdetectedquickly
actasdeterrent
collectinfotoimprovesecurity
assumeintruderwillbehavedifferentlytoa
legitimateuser
butwillhaveimperfectdistinctionbetween
ApproachestoIntrusion
Detection
statisticalanomalydetection
threshold
profilebased
rulebaseddetection
anomaly
penetrationidentification
AuditRecords
fundamentaltoolforintrusiondetection
nativeauditrecords
partofallcommonmultiuserO/S
alreadypresentforuse
maynothaveinfowantedindesiredform
detectionspecificauditrecords
createdspecificallytocollectwantedinfo
atcostofadditionaloverheadonsystem
StatisticalAnomalyDetection
thresholddetection
countoccurrencesofspecificeventovertime
ifexceedreasonablevalueassumeintrusion
aloneisacrude&ineffectivedetector
profilebased
characterizepastbehaviorofusers
detectsignificantdeviationsfromthis
profileusuallymultiparameter
AuditRecordAnalysis
foundationofstatisticalapproaches
analyzerecordstogetmetricsovertime
counter,gauge,intervaltimer,resourceuse
usevarioustestsonthesetodetermineif
currentbehaviorisacceptable
mean&standarddeviation,multivariate,markov
process,timeseries,operational
keyadvantageisnopriorknowledgeused
RuleBasedIntrusionDetection
observeeventsonsystem&applyrulesto
decideifactivityissuspiciousornot
rulebasedanomalydetection
analyzehistoricalauditrecordstoidentifyusage
patterns&autogeneraterulesforthem
thenobservecurrentbehavior&matchagainst
rulestoseeifconforms
likestatisticalanomalydetectiondoesnotrequire
priorknowledgeofsecurityflaws
RuleBasedIntrusionDetection
rulebasedpenetrationidentification
usesexpertsystemstechnology
withrulesidentifyingknownpenetration,
weaknesspatterns,orsuspiciousbehavior
compareauditrecordsorstatesagainstrules
rulesusuallymachine&O/Sspecific
rulesaregeneratedbyexpertswhointerview&
codifyknowledgeofsecurityadmins
qualitydependsonhowwellthisisdone
BaseRateFallacy
practicallyanintrusiondetectionsystem
needstodetectasubstantialpercentageof
intrusionswithfewfalsealarms
iftoofewintrusionsdetected>falsesecurity
iftoomanyfalsealarms>ignore/wastetime
thisisveryhardtodo
existingsystemsseemnottohaveagood
record
DistributedIntrusionDetection
traditionalfocusisonsinglesystems
buttypicallyhavenetworkedsystems
moreeffectivedefensehastheseworking
togethertodetectintrusions
issues
dealingwithvaryingauditrecordformats
integrity&confidentialityofnetworkeddata
centralizedordecentralizedarchitecture
DistributedIntrusion
Detection Architecture
DistributedIntrusion
Detection Agent
Implementation
Honeypots
decoysystemstolureattackers
awayfromaccessingcriticalsystems
tocollectinformationoftheiractivities
toencourageattackertostayonsystemso
administratorcanrespond
arefilledwithfabricatedinformation
instrumentedtocollectdetailedinformation
onattackersactivities
singleormultiplenetworkedsystems
cfIETFIntrusionDetectionWGstandards
Summary
haveconsidered:
problemofintrusion
intrusiondetection(statistical&rulebased)
passwordmanagement
Chapter2VirusesandOther
MaliciousContent
Virusandrelatedthreats Countermeasures
VirusesandOther
MaliciousContent
computerviruseshavegotalotofpublicity
oneofafamilyofmalicioussoftware
effectsusuallyobvious
havefiguredinnewsreports,fiction,movies
(oftenexaggerated)
gettingmoreattentionthandeserve
areaconcernthough
MaliciousSoftware
BackdoororTrapdoor
secretentrypointintoaprogram
allowsthosewhoknowaccessbypassingusual
securityprocedures
havebeencommonlyusedbydevelopers
athreatwhenleftinproductionprograms
allowingexploitedbyattackers
veryhardtoblockinO/S
requiresgoods/wdevelopment&update
LogicBomb
oneofoldesttypesofmalicioussoftware
codeembeddedinlegitimateprogram
activatedwhenspecifiedconditionsmet
egpresence/absenceofsomefile
particulardate/time
particularuser
whentriggeredtypicallydamagesystem
modify/deletefiles/disks,haltmachine,etc
TrojanHorse
programwithhiddensideeffects
whichisusuallysuperficiallyattractive
eggame,s/wupgradeetc
whenrunperformssomeadditionaltasks
allowsattackertoindirectlygainaccesstheydonothave
directly
oftenusedtopropagateavirus/wormorinstalla
backdoor
orsimplytodestroydata
Zombie
programwhichsecretlytakesoveranother
networkedcomputer
thenusesittoindirectlylaunchattacks
oftenusedtolaunchdistributeddenialof
service(DDoS)attacks
exploitsknownflawsinnetworksystems
Viruses
apieceofselfreplicatingcodeattachedto
someothercode
cfbiologicalvirus
bothpropagatesitself&carriesapayload
carriescodetomakecopiesofitself
aswellascodetoperformsomecoverttask
VirusOperation
virusphases:
dormant waitingontriggerevent
propagation replicatingtoprograms/disks
triggering byeventtoexecutepayload
execution ofpayload
detailsusuallymachine/OSspecific
exploitingfeatures/weaknesses
VirusStructure
programV:=
{gotomain;
1234567;
subroutineinfectexecutable:= {loop:
file:=getrandomexecutablefile;
if(firstlineoffile=1234567)thengotoloop
elseprependVtofile;}
subroutinedodamage:={whateverdamageistobedone}
subroutinetriggerpulled:={returntrueifconditionholds}
main:mainprogram:=
{infectexecutable;
iftriggerpulledthendodamage;
gotonext;}
next:
}
TypesofViruses
canclassifyonbasisofhowtheyattack
parasiticvirus
memoryresidentvirus
bootsectorvirus
stealth
polymorphicvirus
metamorphicvirus
MacroVirus
macrocode attachedtosomedatafile
interpretedbyprogramusingfile
egWord/Excelmacros
esp.usingautocommand&commandmacros
codeisnowplatformindependent
isamajorsourceofnewviralinfections
blurdistinctionbetweendataandprogramfiles
classictradeoff:"easeofuse"vs"security
haveimprovingsecurityinWordetc
arenolongerdominantvirusthreat
EmailVirus
spreadusingemailwithattachment
containingamacrovirus
cfMelissa
triggeredwhenuseropensattachment
orworseevenwhenmailviewedbyusing
scriptingfeaturesinmailagent
hencepropagateveryquickly
usuallytargetedatMicrosoftOutlookmail
agent&Word/Exceldocuments
needbetterO/S&applicationsecurity
Worms
replicatingbutnotinfectingprogram
typicallyspreadsoveranetwork
cfMorrisInternetWormin1988
ledtocreationofCERTs
usingusersdistributedprivilegesorbyexploiting
systemvulnerabilities
widelyusedbyhackerstocreatezombiePC's,
subsequentlyusedforfurtherattacks,espDoS
majorissueislackofsecurityofpermanently
connectedsystems,espPC's
WormOperation
wormphaseslikethoseofviruses:
dormant
propagation
searchforothersystemstoinfect
establishconnectiontotargetremotesystem
replicateselfontoremotesystem
triggering
execution
MorrisWorm
bestknownclassicworm
releasedbyRobertMorrisin1988
targetedUnixsystems
usingseveralpropagationtechniques
simplepasswordcrackingoflocalpwfile
exploitbuginfingerdaemon
exploitdebugtrapdoorinsendmaildaemon
ifanyattacksucceedsthenreplicatedself
RecentWormAttacks
newspateofattacksfrommid2001
CodeRed usedMSIISbug
probesrandomIPsforsystemsrunningIIS
hadtriggertimefordenialofserviceattack
2nd waveinfected360000serversin14hours
CodeRed2 installedbackdoor
Nimda multipleinfectionmechanisms
SQLSlammer attackedMSSQLserver
Sobig.f attackedopenproxyservers
Mydoom massemailworm+backdoor
WormTechology
multiplatform
multiexploit
ultrafastspreading
polymorphic
metamorphic
transportvehicles
zerodayexploit
VirusCountermeasures
bestcountermeasureisprevention
butingeneralnotpossible
henceneedtodooneormoreof:
detection ofvirusesininfectedsystem
identification ofspecificinfectingvirus
removeal restoringsystemtocleanstate
AntiVirusSoftware
firstgeneration
scannerusesvirussignaturetoidentifyvirus
orchangeinlengthofprograms
secondgeneration
usesheuristicrulestospotviralinfection
orusescryptohashofprogramtospotchanges
thirdgeneration
memoryresidentprogramsidentifyvirusbyactions
fourthgeneration
packageswithavarietyofantivirustechniques
egscanning&activitytraps,accesscontrols
armsracecontinues
AdvancedAntiVirus
Techniques
genericdecryption
useCPUsimulatortocheckprogramsignature&
behaviorbeforeactuallyrunningit
digitalimmunesystem(IBM)
generalpurposeemulation&virusdetection
anyvirusenteringorgiscaptured,analyzed,
detection/shieldingcreatedforit,removed
DigitalImmuneSystem
BehaviorBlockingSoftware
integratedwithhostO/S
monitorsprogrambehaviorinrealtime
egfileaccess,diskformat,executablemods,
systemsettingschanges,networkaccess
forpossiblymaliciousactions
ifdetectedcanblock,terminate,orseekok
hasadvantageoverscanners
butmaliciouscoderunsbeforedetection
DistributedDenialofServiceAttacks(DDoS)
DistributedDenialofService(DDoS)attacks
formasignificantsecuritythreat
makingnetworkedsystemsunavailable
byfloodingwithuselesstraffic
usinglargenumbersofzombies
growingsophisticationofattacks
defensetechnologiesstrugglingtocope
DistributedDenialofService
Attacks(DDoS)
ContructingtheDDoSAttackNetwork
1.
2.
3.
mustinfectlargenumberofzombies
needs:
softwaretoimplementtheDDoSattack
anunpatchedvulnerabilityonmanysystems
scanningstrategytofindvulnerablesystems
random,hitlist,topological,localsubnet
DDoSCountermeasures
threebroadlinesofdefense:
1. attackprevention&preemption(before)
2. attackdetection&filtering(during)
3. attacksourcetraceback&ident(after)
hugerangeofattackpossibilities
henceevolvingcountermeasures
Summary
haveconsidered:
variousmaliciousprograms
trapdoor,logicbomb,trojanhorse,zombie
viruses
worms
countermeasures
distributeddenialofserviceattacks
Chapter3Firewalls
Introduction
seenevolutionofinformationsystems
noweveryonewanttobeontheInternet
andtointerconnectnetworks
haspersistentsecurityconcerns
canteasilysecureeverysysteminorg
typicallyuseaFirewall
toprovideperimeterdefence
aspartofcomprehensivesecuritystrategy
WhatisaFirewall?
achokepoint ofcontrolandmonitoring
interconnectsnetworkswithdifferingtrust
imposesrestrictionsonnetworkservices
onlyauthorizedtrafficisallowed
auditingandcontrollingaccess
canimplementalarmsforabnormalbehavior
provideNAT&usagemonitoring
implementVPNsusingIPSec
mustbeimmunetopenetration
FirewallLimitations
cannotprotectfromattacksbypassingit
egsneakernet,utilitymodems,trusted
organisations,trustedservices(egSSL/SSH)
cannotprotectagainstinternalthreats
egdisgruntledorcolludingemployees
cannotprotectagainsttransferofallvirus
infectedprogramsorfiles
becauseofhugerangeofO/S&filetypes
Firewalls PacketFilters
simplest,fastestfirewallcomponent
foundationofanyfirewallsystem
examineeachIPpacket(nocontext)and
permitordenyaccordingtorules
hencerestrictaccesstoservices(ports)
possibledefaultpolicies
thatnotexpresslypermittedisprohibited
thatnotexpresslyprohibitedispermitted
Firewalls PacketFilters
Firewalls PacketFilters
AttacksonPacketFilters
IPaddressspoofing
fakesourceaddresstobetrusted
addfiltersonroutertoblock
sourceroutingattacks
attackersetsarouteotherthandefault
blocksourceroutedpackets
tinyfragmentattacks
splitheaderinfooverseveraltinypackets
eitherdiscardorreassemblebeforecheck
Firewalls Stateful
PacketFilters
traditionalpacketfiltersdonotexamine
higherlayercontext
iematchingreturnpacketswithoutgoingflow
statefulpacketfiltersaddressthisneed
theyexamineeachIPpacketincontext
keeptrackofclientserversessions
checkeachpacketvalidlybelongstoone
hencearebetterabletodetectboguspackets
outofcontext
Firewalls Application
LevelGateway(orProxy)
haveapplicationspecificgateway/proxy
hasfullaccesstoprotocol
userrequestsservicefromproxy
proxyvalidatesrequestaslegal
thenactionsrequestandreturnsresulttouser
canlog/audittrafficatapplicationlevel
needseparateproxiesforeachservice
someservicesnaturallysupportproxying
othersaremoreproblematic
Firewalls Application
LevelGateway(orProxy)
Firewalls CircuitLevel
Gateway
relaystwoTCPconnections
imposessecuritybylimitingwhichsuch
connectionsareallowed
oncecreatedusuallyrelaystrafficwithout
examiningcontents
typicallyusedwhentrustinternalusersby
allowinggeneraloutboundconnections
SOCKSiscommonlyused
Firewalls CircuitLevel
Gateway
BastionHost
highlysecurehostsystem
runscircuit/applicationlevelgateways
orprovidesexternallyaccessibleservices
potentiallyexposedto"hostile"elements
henceissecuredtowithstandthis
hardenedO/S,essentialservices,extraauth
proxiessmall,secure,independent,nonprivileged
maysupport2ormorenetconnections
maybetrustedtoenforcepolicyoftrusted
separationbetweenthesenetconnections
FirewallConfigurations
FirewallConfigurations
FirewallConfigurations
AccessControl
givensystemhasidentifiedauser
determinewhatresourcestheycanaccess
generalmodelisthatofaccessmatrixwith
subject activeentity(user,process)
object passiveentity(fileorresource)
accessright wayobjectcanbeaccessed
candecomposeby
columnsasaccesscontrollists
rowsascapabilitytickets
AccessControlMatrix
TrustedComputerSystems
informationsecurityisincreasinglyimportant
havevaryingdegreesofsensitivityofinformation
cfmilitaryinfoclassifications:confidential,secretetc
subjects(peopleorprograms)havevaryingrightsof
accesstoobjects(information)
knownasmultilevelsecurity
subjectshavemaximum ¤t securitylevel
objectshaveafixedsecuritylevelclassification
wanttoconsiderwaysofincreasingconfidencein
systemstoenforcetheserights
BellLaPadula(BLP)Model
oneofthemostfamoussecuritymodels
implementedasmandatorypoliciesonsystem
hastwokeypolicies:
noreadup (simplesecurityproperty)
asubjectcanonlyread/writeanobjectifthecurrent
securitylevelofthesubjectdominates(>=)the
classificationoftheobject
nowritedown (*property)
asubjectcanonlyappend/writetoanobjectifthecurrent
securitylevelofthesubjectisdominatedby(<=)the
classificationoftheobject
ReferenceMonitor
EvaluatedComputerSystems
governmentscanevaluateITsystems
againstarangeofstandards:
TCSEC,IPSECandnowCommonCriteria
defineanumberoflevelsofevaluationwith
increasinglystringentchecking
havepublishedlistsofevaluatedproducts
thoughaimedatgovernment/defenseuse
canbeusefulinindustryalso
CommonCriteria
internationalinitiativespecifyingsecurity
requirements&definingevaluationcriteria
incorporatesearlierstandards
egCSEC, ITSEC, CTCPEC (Canadian), Federal (US)
CommonCriteria
defines setofsecurityrequirements
haveaTargetOfEvaluation(TOE)
requirementsfallintwocategories
functional
assurance
bothorganisedinclassesoffamilies&
components
CommonCriteriaRequirements
Functional Requirements
security audit, crypto support, communications,
user data protection, identification &
authentication, security management, privacy,
protection of trusted security functions,
resource utilization, TOE access, trusted path
Assurance Requirements
configurationmanagement,delivery&operation,
development,guidancedocuments,lifecycle
support,tests,vulnerabilityassessment,assurance
maintenance
CommonCriteria
CommonCriteria
Summary
haveconsidered:
firewalls
typesoffirewalls
configurations
accesscontrol
trustedsystems
commoncriteria