Internet Security

Introduction
ITU/APNIC/MICT IPv6 Security
Workshop
23rd – 27th May 2016
Bangkok

Last updated 5th May 2015 1

Introduction to Internet
Infrastructure Security

p Introduction to the main network security

issues that infrastructure operators need
to be aware of.
p This includes discussion on packet
flooding, Internet worms, DDOS attacks
and Botnets

2
 Why Security
Why do we need security on the
Internet?

3
Why Security?
p The Internet was initially designed for
connectivity
n Trust is assumed, no security
n Security protocols added on top of the TCP/IP
p Fundamental aspects of information must be
protected
n Confidential data
n Employee information
n Business models
n Protect identity and resources
p The Internet has become fundamental to our
daily activities (business, work, and personal)
Internet Evolution

LAN connectivity Application-specific Application/data

More online content hosted in the “cloud”

p Different ways to handle security as the

Internet evolves

5
ACRONYM/TERM OVERLOAD
p CIA p Risk
n Confidentiality p Threat
n Integrity p Vulnerability
n Availability
p Impact
p Access Control
n Authentication
n Authorisation
n Accountability

6
Goals of Information Security

SECURITY
Confidentiality Integrity Availability

prevents safeguards the authorized

unauthorized accuracy and users have
use or completeness reliable and
disclosure of of information timely access
information to information
Access Control
p The ability to permit or deny the use of an
object by a subject.

p It provides 3 essential services:

n Authentication (identification of a user)
n Authorisation (who is allowed to use a service)
n Accountability (what did a user do)
Authentication
p a means to verify or prove a user’s identity
p The term “user” may refer to:
n Person
n Application or process
n Machine or device
p Identification comes before authentication
n Provide username to establish user’s identity
p To prove identity, a user must present either of
the following:
n What you know (passwords, passphrase, PIN)
n What you have (token, smart cards, passcodes, RFID)
n Who you are (biometrics such as fingerprints and iris
scan, signature or voice)
Authentication –
Examples of Tokens

RFID cards
eToken

Smart Cards

Fingerprint scanner
Authentication - Trusted Network
p Standard defensive-oriented technologies
n Firewall – first line of defense
n Intrusion Detection – second line of defense
p Build TRUST on top of the TCP/IP
infrastructure
n Strong authentication
p Two-factor authentication
p something you have + something you know
n Public Key Infrastructure (PKI)
Strong Authentication
p An absolute requirement
p Two-factor authentication
n Passwords (something you know)
n Tokens (something you have)
p Examples:
n Passwords
n Tokens
n Tickets
n Restricted access
n PINs
n Biometrics
n Certificates
Two-factor Authentication
p Requires a user to provide at least two
authentication ‘factors’ to prove his identity
n something you know
p Username/userID and password
n something you have
p Token using a one-time password (OTP)

p The OTP is generated using a small electronic

device in physical possession of the user
n Different OTP generated each time and expires after
some time
n An alternative way is through applications installed on
your mobile device
p Multi-factor authentication is also common
Authorisation
p Defines the user’s rights and permissions on a
system
p Typically done after user has been authenticated
p Grants a user access to a particular resource and
what actions he is permitted to perform on that
resource
p Access criteria based on the level of trust:
n Roles
n Groups
n Location
n Time
n Transaction type
Authentication vs. Authorisation

Service

Authentication
Mechanism Authorisation
Mechanism

Client

“Authentication simply identifies a party, Authorisation defines whether

they can perform certain action” – RFC 3552
Authorisation Concepts
p Authorisation Creep
n When users may possess unnecessarily high access
privileges within an organization
p Default to Zero
n Start with zero access and build on top of that
p Need to Know Principle
n Least privilege; give access only to information that the
user absolutely need
p Access Control Lists
n List of users allowed to perform particular access to an
object (read, write, execute, modify)
Authorisation - Single Sign On
p Property of access control where a user logs in
only once and gains access to all authorized
resources within a system.
p Benefits:
n Ease of use
n Reduces logon cycle (time spent re-entering passwords
for the same identity)
p Common SSO technologies:
n Kerberos, RADIUS
n Smart card based
n OTP Token
n Shibboleth / SAML
n OpenID
p Disadvantage: Single point of attack
Authorisation –
Types of Access Control
p Centralized Access Control
n Radius
n TACACS+
n Diameter
p Decentralized Access Control
n Control of access by people who are closer to
the resources
n No method for consistent control
Accountability
p The security goal that generates the
requirement for actions of an entity to be
traced uniquely to that entity
n Senders cannot deny sending information
n Receivers cannot deny receiving it
n Users cannot deny performing a certain action
p Supports nonrepudiation, deterrence, fault
isolation, intrusion detection and
prevention and after-action recovery and
legal action
Source: NIST Risk Management Guide for
Information Technology Systems
Integrity
p Security goal that generates the
requirement for protection against either
intentional or accidental attempts to
violate data integrity
p Data integrity
n The property that data has when it has not
been altered in an unauthorized manner
p System integrity
n The quality that a system has when it performs
its intended function in an unimpaired manner,
free from unauthorized manipulation
Source: NIST Risk Management Guide for
Information Technology Systems
Risk, Threats, and Vulnerability
p Threat
n Any circumstance or event with the potential to
cause harm to a networked system
p Vulnerability
n A weakness in security procedures, network
design, or implementation that can be
exploited to violate a corporate security policy
p Risk
n The possibility that a particular vulnerability
will be exploited
Threat
p “a motivated, capable adversary”
p Examples:
n Human Threats
p Intentional or unintentional
p Malicious or benign
n Natural Threats
p Earthquakes, tornadoes, floods, landslides
n Environmental Threats
p Long-term power failure, pollution, liquid leakage
Vulnerability
p A weakness in security procedures,
network design, or implementation that
can be exploited to violate a corporate
security policy
n Software bugs
n Configuration mistakes
n Network design flaw
n Lack of encryption
p Where to check for vulnerabilities?
p Exploit
n Taking advantage of a vulnerability
Risk
p Likelihood that a vulnerability will be exploited
p Some questions:
n How likely is it to happen?
n What is the level of risk if we decide to do nothing?
n Will it result in data loss?
n What is the impact on the reputation of the company?
p Categories:
n High, medium or low risk

Risk = Threat * Vulnerability * Impact

What Can Intruders Do?
p Eavesdrop - compromise routers, links, or
DNS
p Send arbitrary messages (spoof IP
headers and options)
p Replay recorded messages
p Modify messages in transit
p Write malicious code and trick people into
running it
p Exploit bugs in software to ‘take over’
machines and use them as a base for
future attacks
What are Security Goals?
p Controlling Data Access
p Controlling Network Access
p Protecting Information in Transit
p Ensuring Network Availability
p Preventing Intrusions
p Responding To Incidences
Goals are Determined by
p Services offered vs. security provided
n Each service offers its own security risk
p Ease of use vs. security
n Easiest system to use allows access to any
user without password
p Cost of security vs. risk of loss
n Cost to maintain

Goals must be communicated to all users, staff, managers,

through a set of security rules called “security policy”
Causes of Security Related Issues

p Protocol error
n No one gets it right the first time
p Software bugs
n Is it a bug or feature ?
p Active attack
n Target control/management plane
n Target data plane
n More probable than you think !
p Configuration mistakes
n Most common form of problem
Why Worry About Security?
p How much you worry depends on risk
assessment analysis
n Risk analysis: the process of identifying
security risks, determining their impact, and
identifying areas requiring protection
p Must compare need to protect asset with
implementation costs
p Define an effective security policy with
incident handling procedures
Characteristics of a Good Policy
p Can it be implemented technically?
p Are you able to implement it
organizationally?
p Can you enforce it with security tools and/
or sanctions?
p Does it clearly define areas of
responsibility for the users,
administrators, and management?
p Is it flexible and adaptable to changing
environments?
RFC 2916 - h+p://www.ie3.org/rfc/rfc2196.txt
What Are You Protecting?
p Identify Critical Assets
n Hardware, software, data, people,
documentation
p Place a Value on the Asset
n Intangible asset – importance or criticality
n Tangible asset – replacement value, training
costs and/or immediate impact of the loss
p Determine Likelihood of Security Breaches
n What are threats and vulnerabilities ?
Impact and Consequences
p Data compromise
n Stolen data
n can be catastrophic for a financial institution
p Loss of data integrity
n Negative press or loss or reputation (bank,
public trust)
p Unavailability of resources
n The average amount of downtime following a
DDoS attack is 54 minutes
n The average cost of one minute of downtime
due to DDoS attack is $22,000*
* Based on a Ponemon InsDtute study (2012)
Risk Mitigation vs Cost
Risk mi'ga'on: the process of Will I Go Bankrupt ?
selecDng appropriate controls to
reduce risk to an acceptable level.

The level of acceptable risk is

determined by comparing the risk of
security hole exposure to the cost of
implemenDng and enforcing the
security policy. Is it an embarrassment ?

Assess the cost of certain losses and do

not spend more to protect something
than it is actually worth.
 Evolution of Attack Landscape
email propagation of malicious code

DDoS attacks
“stealth”/advanced scanning techniques

increase in worms
widespread attacks using NNTP to distribute attack

Attack Sophistication
sophisticated command
& control
widespread attacks on DNS infrastructure

executable code attacks (against browsers) anti-forensic techniques

automated widespread attacks home users targeted

GUI intruder tools distributed attack tools

hijacking sessions
increase in wide-scale
Trojan horse distribution
Internet social widespread
denial-of-service
engineering attacks attacks Windows-based
remote controllable
techniques to analyze
code for vulnerabilities Trojans (Back
automated probes/scans without source code Orifice)
packet spoofing

1990 Intruder Knowledge 2012

Attack Motivation
p Criminal
n Criminal who use critical infrastructure as a
tools to commit crime
n Their motivation is money
p War Fighting/Espionage/Terrorist
n What most people think of when talking about
threats to critical infrastructure
p Patriotic/Principle
n Large groups of people motivated by cause -
be it national pride or a passion aka
Anonymous
Attack Motivation
p Nation States want SECRETS
p Organized criminals want MONEY
p Protesters or activists want ATTENTION
p Hackers and researchers want
KNOWLEDGE

Source: NANOG60 keynote presentaDon by Jeff Moss, Feb 2014

The Threat Matrix

Advanced
Opportunistic
hacks Persistent
Threats

Joy hacks Targeted attacks

Degree of Focus
Attack Sources
p Active attack involves writing data to the network.
It is common to disguise one’s address and
conceal the identity of the traffic sender.
p Passive attack involves only reading data on the
network. Its purpose is breach of confidentiality.

Active Attacks Passive Attacks

Denial of Service attacks Reconnaissance
Spoofing Eavesdropping
Man in the Middle Port scanning
ARP poisoning
Smurf attacks
Buffer overflow
SQL Injection

Source: RFC 4778

Attack Sources
p On-path vs. Off-path
n On-path hosts can read, modify, or remove any
datagram transmitted along the path
n Off-path hosts can transmit datagrams that appear to
come from any hosts but cannot necessarily receive
datagrams intended for other hosts
p Insider vs. outsider
n What is definition of perimeter/border?
p Deliberate vs. unintentional event
n Configuration errors and software bugs are as harmful
as a deliberate malicious network attack

Source: RFC 4778

General Threats
p Masquerade
n An entity claims to be another entity
p Eavesdropping
n An entity reads information it is not intended to read
p Authorisation violation
n An entity uses a service or resource it is not intended to use
p Loss or modification of information
n Data is being altered or destroyed
p Denial of communication acts (repudiation)
n An entity falsely denies its participation in a communication act
p Forgery of information
n An entity creates new information in the name of another entity
p Sabotage
n Any action that aims to reduce the availability and/or correct
functioning of services or systems
Reconnaissance Attack
p Unauthorised users to gather information about
the network or system before launching other
more serious types of attacks
p Also called eavesdropping
p Information gained from this attack is used in
subsequent attacks (DoS or DDoS type)
p Examples of relevant information:
n Names, email address
p Common practice to use a person’s first initial and last
name for accounts
n Practically anything
Man-in-the-Middle Attack
p Active eavesdropping
p Attacker makes independent connections
with victims and relays messages between
them, making them believe that they are
talking directly to each other over a
private connection, when in fact the entire
conversation is controlled by the attacker
p Usually a result of lack of end-to-end
authentication
p Masquerading - an entity claims to be
another entity
Session Hijacking
p Exploitation of a valid computer session, to gain
unauthorized access to information or services in
a computer system.
p Theft of a “magic cookie” used to authenticate a
user to a remote server (for web developers)
p Four methods:
n Session fixation – attacker sets a user’s session id to
one known to him, for example by sending the user an
email with a link that contains a particular session id.
n Session sidejacking – attacker uses packet sniffing to
read network traffic between two parties to steal the
session cookie.
Denial of Service (DoS) Attack
p Attempt to make a machine or network resource
unavailable to its intended users.
p Purpose is to temporarily or indefinitely interrupt
or suspend services of a host connected to the
Internet

p Saturating the target with external

communications requests (server overload)
n May include malware to max out target resources,
trigger errors, or crash the operating system
p DDoS attacks are more dynamic and comes from
a broader range of attackers
p Can be used as a redirection and reconnaissance
technique
Reflected Denial of Service (rDoS)
p Involves sending forged requests to
hundreds of machines with replies directed
to a victim server
p Attacker modifies the source IP address
(spoofing)
p Replies are expected to be much bigger
than the request
p DNS is used for this due to its lack of
source validation
Summary - Most Common
Threats and Attacks
p Unauthorized access – insecure hosts, cracking
p Eavesdropping a transmission – access to the
medium
n Looking for passwords, credit card numbers, or business
secrets
p Hijacking, or taking over a communication
n Inspect and modify any data being transmitted
p IP spoofing, or faking network addresses
n Impersonate to fool access control mechanisms
n Redirect connections to a fake server
p DOS attacks
n Interruption of service due to system destruction or
using up all available system resources for the service
n CPU, memory, bandwidth
Attack Trends
p Key findings:
n Largest DDoS attack at 309Gbps
n Multiple attacks over 100Gbps
n Hacktivism is top commonly perceived motivation behind
attacks
n Customers are the most common target of attacks, with
service infrastructure coming second

Source: Arbor Networks Worldwide Infrastructure

Security Report 2014
Attack Trends
p Infrastructure-based attacks were the preferred
attack vector (more than 80% of DDoS attacks)
n SYN floods, UDP floods, DNS, ICMP, ACK floods,
CHARGEN, SNMP

Source: Prolexic Q2 2014 Global DDOS Attack Report

Attack Trends
p Downward trend in the use of application-
layer attacks
p “To launch significant DDoS layer 7 attack
campaigns, attackers need to possess
sophisticated skills. Few attackers are
capable of these attacks, as it requires
compromising servers and applications by
the exploitation of vulnerabilities, and
often requires code customization”

Source: Prolexic Q2 2014 Global DDOS A+ack Report

Attack Trends - Breach Sources
Aggregation

Infiltration Exfiltration

Source: Trustwave 2012 Global Security Report

Global Map of DDoS Attacks

https://www.stateoftheinternet.com/trends-visualizations-security-real-
time-global-ddos-attack-sources-types-and-targets.html
5
 Internet Security
Introduction
ITU/APNIC/MICT IPv6 Security
Workshop
23rd – 27th May 2016
Bangkok

Last updated 5th May 2015 53