Network Security

Network Security Architecture

 Lecture Outline
► Attacks, services and mechanisms
► Security attacks
► Security services
► Internet standards and RFCs
 Services, Mechanisms, Attacks
► Need systematic way to define requirements
► Consider three aspects of information
security:
 security attack
 security mechanism
 security service
► Consider in reverse order
 Security Service
► Is something that enhances the security of the data
processing systems and the information transfers of
an organization
► Intended to counter security attacks
► Make use of one or more security mechanisms to
provide the service
► Replicate functions normally associated with physical
documents e.g.
 have signatures or dates
 need protection from disclosure, tampering, or destruction
 be notarized or witnessed
 be recorded or licensed
 Security Mechanism
►A mechanism that is designed to detect, prevent,
or recover from a security attack
► No single mechanism that will support all functions
required
► However one particular element underlies many of
the security mechanisms in use: cryptographic
techniques
► Hence our review of this area
 Security Attacks
► Any action that compromises the security of
information owned by an organization
► Information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
► Have a wide range of attacks
► Can focus on generic types of attacks

 Note: often threat & attack mean same

 .
Security Attacks
 Security Attacks
► Interruption: This is an attack on
availability
► Interception: This is an attack on
confidentiality
► Modification: This is an attack on integrity
► Fabrication: This is an attack on
authenticity
 OSI Security Architecture
► ITU-T X.800 Security Architecture for OSI
► Defines a systematic way of defining and
providing security requirements
► For us it provides a useful, abstract,
overview of concepts we will study
 Security Services
► X.800 defines it as: a service provided by a
protocol layer of communicating open systems,
which ensures adequate security of the systems or
of data transfers
► RFC 2828 defines it as: a processing or
communication service provided by a system to
give a specific kind of protection to system
resources
 Security Services (X.800)
► X.800defines security services in 5 major
categories
 Authentication - assurance that the
communicating entity is the one claimed
 Access Control - prevention of the unauthorized
use of a resource
 Data Confidentiality –protection of data from
unauthorized disclosure
 Data Integrity - assurance that data received is
as sent by an authorized entity
 Non-Repudiation - protection against denial by
one of the parties in a communication
 .
 Security Services
► Confidentiality (Privacy)
► Authentication (Who created or sent the data)
► Integrity (information has not been altered)
► Non-repudiation (the order is final)
► Access control (Prevent misuse of resources)
► Availability (Permanence, non-erasure)
 Denial of Service Attacks
 Virus that deletes files
 Security Mechanisms (X.800)
► Specific security mechanisms:
 Encipherment: Converting data into form that is not readable
 Digital signatures: To check authenticity and integrity of data
 Access controls: Enforcing access rights to resources
 Data integrity
 Authentication exchange
 Traffic padding: Insertion of bits to frustrate traffic analysis
 Routing control: Selection of secure routes
 Notarization: Use of trusted third party for data exchange
 .
 Security Mechanisms (X.800)
► Pervasive security mechanisms:
 trusted functionality: perceived to be correct
with respect to some criteria
 security labels:
 event detection: detection of security relevant
events
 security audit trails:
 security recovery:
 Classify Security Attacks as
► Passive attacks - eavesdropping on, or
monitoring of, transmissions to:
 obtain message contents, or
 monitor traffic flows
► Active attacks – modification of data stream to:
 masquerade of one entity as some other
 replay previous messages
 modify messages in transit
 denial of service
 Methods of Defense
► Encryption
► Software Controls (access limitations in a
data base, in operating system protect each
user from other users)
► Hardware Controls (smartcard)
► Policies (frequent changes of passwords)
► Physical Controls
 Internet standards and RFCs
► The Internet society
 Internet Architecture Board (IAB)
 Internet Engineering Task Force (IETF)
 Internet Engineering Steering Group (IESG)
Internet RFC Publication Process
Vulnerabilities in Network Protocols
 Outline
► TCP/IP Layering
► Names and Addresses
► Security Considerations for
 Address Resolution Protocol
 Internet Protocol
 Transmission Control Protocol
 FTP,Telnet, SMTP
 Web Security (Next Lecture)
► Browser Side Risks
► Server Side Risks
TCP/IP Layering
An Example
 Encapsulation
user data

HTTP
HTTP
client
client
HTTP hdr

TCP
TCP
TCP hdr

IP
IP
IP hdr

Ethernet
Ethernet
driver
driver
Eth. hdr tr.

Ethernet
 Demultiplexing
HTTP …
DNS …
FTP
SNMP
SMTP demuxing based on
the port number
in the TCP or UDP
header
TCP
TCP UDP
UDP
IGMP
IGMP
ICMP
ICMP demuxing based on the
protocol id in the IP header
IP
IP

RARP
RARP
ARP demuxing based on frame type
ARP in the Ethernet header
Ethernet
Ethernet
driver
driver
Names and Addresses
 Hardware (MAC) Addresses
► Every interface has a unique and fixed
hardware address too
► Used by the data link layer
► In case of Ethernet, it is 48 bits long
► Mapping between IP addresses and MAC
addresses are done by ARP
 Host Names
► Human readable, hierarchical names, such as
www.aumc.edu.pk
► Every host may have several names
► Mapping between names and IP addresses is done
by the Domain Name System (DNS)
Address Resolution Protocol
ARP – Address Resolution Protocol
► Mapping from IP addresses to MAC addresses
Request 08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

192.168.0

arp req | target IP: 192.168.0.5 | target eth: ?

Reply
08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

192.168.0

arp rep | sender IP: 192.168.0.5 | sender eth: 00:00:C0:C2:9B:26

 ARP Spoofing
► An ARP request can be responded by another host
Request 08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

192.168.0
arp req | target IP: 192.168.0.5 | target eth: ?

Reply
08:00:20:03:F6:42 00:34:CD:C2:9F:A0 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

192.168.0

arp rep | sender IP: 192.168.0.5 | sender eth: 00:34:CD:C2:9F:A0

 ARP Spoofing .
► Used for sniffing on switched LAN
Attacker 1. Configure IP
forwarding
2. Send fake ARP
response to map 4. Sniff the
default router’s IP traffic from the
Victim to attacker’s MAC link

Switch 5. Packets are forwarded

from attacker’s machine
to actual default router
3. Victim sends Outside
traffic based on World
poisoned ARP cache
Default Router
 ARP Spoofing Prevention ?
► Cryptographic protection on the data is the only
way
 Not allow any untrusted node to read the contents of
your traffic
Internet Protocol
 IP – Internet Protocol
► Provides an unreliable, connectionless datagram delivery
service to the upper layers
► Its main function is routing
► It is implemented in both end systems and intermediate
systems (routers)
► Routers maintain routing tables that define the next hop
router towards a given destination (host or network)
► IP routing uses the routing table and the information in the
IP header (e.g., the destination IP address) to route a
packet
 IP Security Problems
► User data in IP packets is not protected in any way
 Anyone who has access to a router can read and
modify the user data in the packets
► IP packets are not authenticated
 It is fairly easy to generate an IP packet with an
arbitrary source IP address
► Traffic analysis
 Even if user data was encrypted, one could easily
determine who is communicating with whom by
just observing the addressing information in the IP
headers
 IP Security Problems
► Information exchanged between routers to maintain
their routing tables is not authenticated
 Correct routing table updates can be modified or
fake ones can be disseminated
 This may screw up routing completely leading to
loops or partitions
 It may also facilitate eavesdropping, modification,
and monitoring of traffic
 It may cause congestion of links or routers (i.e.,
denial of service)
Transmission Control Protocol
TCP – Transmission Control Protocol
► Provides a connection oriented, reliable, byte
stream service to the upper layers
► Connection oriented:
 Connection establishment phase prior to data
transfer
 State information (sequence numbers, window
size, etc.) is maintained at both ends
 TCP- Reliability
► Positiveacknowledgement scheme
(unacknowledged bytes are retransmitted after a
timeout)
► Checksum on both header and data
► Reordering of segments that are out of order
► Detection of duplicate segments
► Flow control (sliding window mechanism)
TCP Connection Establishment
Client Server
SYNC Listening

Store data
SYNS, ACKC

Wait
ACKS

Connected
 TCP Sequence Numbers
► TCP uses ISN (Initial Sequence Number) to order the incoming
packets for a connection
► Sequence numbers are 32 bits long
► The sequence number in a data segment identifies the first byte
in the segment
► Sequence numbers are initialized with a “random” value during
connection setup
► The RFC suggests that the ISN is incremented by one at least
every 4 s
 TCP SYN Attack
► Anattacker can impersonate a trusted host
(e.g., in case of r commands, authentication is
based on source IP address solely)
 This can be done guessing the sequence number in
the ongoing communication
 The initial sequence numbers are intended to be
more or less random
 TCP SYN Attack
► In Berkeley implementations, the ISN is incremented by
a constant amount
 128,000 once per second, and
 further 64,000 each time a connection is initiated
► RFC 793 specifies that the 32-bit counter be
incremented by 1 about every 4 s
 the ISN cycles every 4.55 hours
► Whatever! It is not hopeless to guess the next ISN to
be used by a system
 Launching a SYN Attack
► The attacker first establishes a valid
connection with the target to know its ISN.
► Next it impersonates itself as trusted host T
and sends the connection request with ISNx
► The target sends the ACK with its ISNs to the
trusted host T
► The attacker after the expected time sends
the ACK with predicted ISNs’
 Launching a SYN Attack

attacker server trusted host (T)

SYN = ISNX, SRC_IP = T
SYN = ISNS, ACK(ISNX)
ACK(ISNS), SRC_IP = T

SRC_IP = T, nasty_data
 What about the ACK for T?
► If the ACK is received by the trusted host T
 It will reject it, as no request for a connection was made by it
 RST will be sent and the server drops the connection
BUT!!!
► The attacker can either launch this attack when T is down
► Or launch some sort of DoS attack on T
 So that it can’t reply
TCP SYN Attack – How to Guess ISNS?
attacker server
SYN = ISN
X

, ACK (ISN X)
SN S
SYN = I
S YN = I S t
NX ’, SRC
_I P=T
SYN = IS
NS ’, ACK
( IS N )
ACK(ISN X
S ’), SRC_
IP =T

 ISNS’ (Attacker’s ISN) depends on ISNS and t

 t can be estimated from the round trip time
 Assume t can be estimated with 10 ms precision
TCP SYN Attack – How to Guess ISNS?

► Attacker has an uncertainty of 1280 in the

possible value for ISNS’
► Assume each trial takes 5 s
► The attacker has a reasonable likelihood of
succeeding in 6400 s and a near-certainty
within one day!
 How to Prevent it?
► Can be prevented by properly configuring
the firewall
 Do not allow any communication from outside
using the address of some internal network
 TCP SYN Flood
► Attacker’s goal is to C S
overwhelm the
destination machine SYNC1 Listening
with SYN packets with
spoofed IP SYNC2
► This results in:
 The server’s Store data
SYNC3
connection queue
filling up causing DoS
Attack SYNC4
 Or even if queue is
large enough, all ports
will be busy and the
SYNC5
service could not be
provided by the server
 How to Avoid TCP SYN Flood
► Decrease the wait time for half open connection
► Do not store the connection information
► Use SYN cookies as sequence numbers during
connection setup
► SYN cookie is some function applied on
 Dest IP, Source IP, Port numbers, Time and a
secret number
 TCP Congestion Control

Source

Destination

• If packets are lost, assume congestion

– Reduce transmission rate by half, repeat
– If loss stops, increase rate very slowly
Design assumes routers blindly obey this policy
TCP Congestion Control-Competition

Source A Destination

Source B Destination

• Friendly source A give way to overexcited source B

– Both senders experience packet loss
– Source A backs off
– Source B disobeys protocol, gets better results!
 DoS-Denial of Service Attacks
► Attempts to prevent the victim from being able to
establish connections
► Accomplished by involving the victim in heavy
processing
 like sending the TCP SYN packets to all ports of
the victim and avoiding new connection
establishment
► DoS attacks are much easier to accomplish than
gaining administrative access
 Exploiting Ping Command for
Smurf DoS Attack
1 ICMP Echo Req
3 ICMP Echo Reply
Src: DoS Target gateway
DoS Dest: DoS Target DoS
Dest: brdct addr Target
Source

• Send ping request to subnet-directed broadcast address with

spoofed IP (ICMP Echo Request)
• Lots of responses:
– Every host on target network generates a ping reply (ICMP Echo Reply)
to victim
– Ping reply stream can overload victim
 Smurf DoS Attack Prevention
► Have adequate bandwidth and redundant paths
► Filter ICMP messages to reject external packets to
broadcast address
FTP – File Transfer Protocol
client

user
user
interface
interface
user
server

protocol
protocol control connection protocol
protocol
interpreter
interpreter (FTP commands and replies) interpreter
interpreter

data
data data
data
data connection
transfer
transfer transfer
transfer
function
function function
function

file system file system

 FTP – File Transfer Protocol
► Typical FTP commands:
 RETR filename – retrieve (get) a file from the server
 STOR filename – store (put) a file on the server
 TYPE type – specify file type (e.g., A for ASCII)
 USER username – username on server
 PASS password – password on server
► FTP is a text (ASCII) based protocol

…
 FTP – File Transfer Protocol

client server
% ftp www.aumc.edu.pk <TCP connection setup to port 21 of www.aumc.edu.pk >
“220 www.aumc.edu.pk FTP server (version 5.60) ready.”
Connected to www.aumc.edu.pk
Name: abc
“USER abc”
“331 Password required for user abc.”

Password: pswd
“PASS pswd”

“230 User abc logged in.”

 Problems with FTP
► FTP information exchange is in clear text
 The attacker can easily eavesdrop and get the
secret information
 The attacker can also know the software version
of FTP running to exploit the vulnerabilities of
that particular version
 FTP Bounce Scans
► FTP has a feature to open connection with victim machine on the request from attacker machine
► Machine A (Attacker) can request to check for the open ports on the target machine X (Victim)

► Newer version of FTP does not support this forwarding feature

nt rol
P co ion
FT nect
con

FTP Server

Attacker Victim to be
scanned
 Telnet

► Provides remote login service to users

► Works between hosts that use different
operating systems
► Uses option negotiation between client and
server to determine what features are
supported by both ends
 Telnet

Telnet
Telnetclient Telnet
client Telnetserver
server login
loginshell
shell
kernel kernel

terminal
terminal pseudo-
pseudo-
TCP/IP
TCP/IP TCP/IP
TCP/IP
driver
driver terminal
terminal
driver
driver

TCP connection

user
 Telnet Session Example

► Single character at a time

 Telnet Example
client server
% telnet ahost.com.pk
<TCP connection setup to port 23 of ahost.com.pk>

Connected to ahost.com.pk
Escape character is ‘^]’.
<Telnet option negotiation>

“UNIX(r) System V Release 4.0”

“Login:”

Login: s
“s”

Login: st
“t”
… …
Login: student
“t”

“Password:”

Password: c
“c”
… …
Password: cab123
“3”

<OS greetings and shell prompt, e.g., “%”>

…
 Problems with Telnet
► Information exchange is in clear text
 The attacker can easily eavesdrop and get the
information like username and passwords
 The attacker can also know the version to
exploit the vulnerabilities of that particular
version
SMTP – Simple Mail Transfer Protocol
sending host

user
user mails to
agent
agent be sent

user
local
local SMTP relay
relay
MTA
MTA MTA
MTA

TCP connection SMTP

TCP port 25

relay
relay
MTA
MTA

SMTP
receiving host

local
local SMTP relay
relay
MTA
MTA MTA
MTA

user
user user
agent
agent mailbox
user
 SMTP
► SMTP is a text (ASCII) based protocol
► MTA transfers mail from the user to the
destination server
► MTA relays are used to relay the mail from
other clients
► MTAs use SMTP to talk to each other
► All the messages are spooled before sending
 SMTP Message Flow
sending MTA (mail.aumc.edu.pk) receiving MTA (smtp.yahoo.com)
<TCP connection establishment to port 25>
“HELO mail.aumc.edu.pk.”
“250 smtp.yahoo.com Hello mail.aumc.edu.pk., pleased to meet you”
“MAIL from: [email protected]”
“250 [email protected]... Sender ok”
“RCPT to: [email protected]”
“250 student2@yahoo… Recipient ok”
“DATA”
“354 Enter mail, end with a “.” on a line by itself”
<message to be sent>
.
“250 Mail accepted”
“QUIT”
“221 smtp.yahoo.com delivering mail”

70
 SMTP Security Problems
► Designed in an era where internet security was
not much of an issue
 No security at the base protocol
► Designed around the idea of “cooperation” and
“trust” between servers
 Susceptible to DoS attacks
►Simply flood a mail server with SMTP connections
or SMTP instructions.
 SMTP Security Problems
► SMTP does not provide any protection of e-mail
messages
 Does not ask sender to authenticate itself.
 Messages can be read and modified by any
of the MTAs involved
 Fake messages can easily be generated (e-
mail forgery)
 Does not check what and from whom it is
relaying the message
SMTP Security Problems Example
% telnet frogstar.hit.com.pk 25
Trying...
Connected to frogstar.hit.com.pk.
Escape character is ‘^[’.
220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6;
Mon, 10 Feb 2003 14:23:21 +0100
helo abcd.com.pk
250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet you
mail from: [email protected]
250 2.1.0 [email protected]... Sender ok
rcpt to: [email protected]
250 2.1.5 [email protected]... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Your fake message goes here.
.
250 2.0.0 h1ADO5e21330 Message accepted for delivery
quit
221 frogstar.hit.com.pk closing connection
Connection closed by foreign host.
%
 Be Careful, Though!
Return-Path: <[email protected]>
Received: from frogstar.hit.com.pk ([email protected]
[152.66.248.44])
by mail.ebizlab.hit.com.pk (8.12.7/8.12.7/Debian-2)
with ESMTP id h1ADSsxG022719
for <[email protected]>; Mon, 10 Feb 2003 14:28:54 +0100
Received: from abcd.com.pk ([152.66.249.32])
by frogstar.hit.com.pk (8.11.6/8.11.6) with SMTP id h1ADO5e21330
for [email protected]; Mon, 10 Feb 2003 14:25:41 +0100
Date: Mon, 10 Feb 2003 14:25:41 +0100
From: [email protected]
Message-Id: <[email protected]>
To: undisclosed-recipients:;
X-Virus-Scanned: by amavis-dc
Status:

Your fake message goes here.

Domain Name Server
 DNS – Domain Name Server
► The DNS is a distributed database that provides
mapping between hostnames and IP addresses
► The DNS name space is hierarchical
 Top level domains gTLDs: com, edu, gov, int, mil,
net, org, ccTLDs like ae, …, pk, … zw
 Top level domains may contain second level
domains
e.g., edu within pk, co within uk, …
 Second level domains may contain third level
domains, etc.
 Domain Name Server
► Usually (not always) a name server knows the IP
address of the top level name servers
► If a domain contains sub-domains, then the name
server knows the IP address of the sub-domain
name servers
► When a new host is added to a domain, the
administrator adds the (hostname, IP address)
mapping to the database of the local name server
 DNS – Domain Name Server
authority.aumc.edu.pk = ? authority.aumc.edu.pk = ?
local
local top
toplevel
level
application
application IP of ns in pk
name
namesrvsrv name
namesrv
srv
202.83.173.61

IP IP of
of n s in e
n du.p k name
namesrv srv
si
20 na ininpk
pk
2. um
83 c.e
. 17 du
. pk
3. name
61 namesrv
srv
ininedu.pk
 A single DNS reply may include several edu.pk

(hostname, IP address) mappings (Resource

name
namesrv
srvinin
Records) aumc.edu.pk
aumc.edu.pk
 Received information is cached by the name
server
 DNS spoofing
► The cache of a DNS name server is poisoned
with false information
► How to do it?
 Assume that the attacker wants
www.anything.com.pk to map to his own
IP address 202.83.173.59
 DNS Spoofing - Approach 1
► Attacker submits a DNS query
“www.anything.com.pk=?” to
ns.victim.com.pk
► A bit later it forges a DNS reply
“www.anything.com.pk=202.83.173.59”
► UDP makes forging easier but the
attacker must still predict the query ID
 DNS Spoofing – Approach 2
► Attacker has access to ns.attacker.com.pk
 The attacker modifies its local name server such that it
responds a query “www.attacker.com.pk=?” with
“www.anything.com.pk=202.83.173.59”
 The attacker then submits a query
“www.attacker.com.pk=?” to ns.victim.com.pk
 ns.victim.com.pk sends the query
“www.attacker.com.pk=?” to ns.attacker.com.pk
 ns.attacker.com.pk responds with
“www.anything.com.pk=202.83.173.59”
 Questions

???????????????
???????????????
????