Overview

Network Security ◼ What is security?

◼ Why do we need security?
◼ Who is vulnerable?
◼ Common security attacks and countermeasures
– Firewalls & Intrusion Detection Systems
– Denial of Service Attacks
– TCP Attacks
– Packet Sniffing
– Social Problems

15-441 Networks Fall 2002 1 15-441 Networks Fall 2002 2

What is “Security” Why do we need security?

◼ Dictionary.com says: ◼ Protect vital information while still allowing
– 1. Freedom from risk or danger; safety.
access to those who need it
– 2. Freedom from doubt, anxiety, or fear; confidence.
– 3. Something that gives or assures safety, as: – Trade secrets, medical records, etc.
• 1. A group or department of private guards: Call building security ◼ Provide authentication and access control for
if a visitor acts suspicious.
• 2. Measures adopted by a government to prevent espionage, resources
sabotage, or attack.
• 3. Measures adopted, as by a business or homeowner, to prevent ◼ Guarantee availability of resources
a crime such as burglary or assault: Security was lax at the firm's
smaller plant. – Ex: (99.999% reliability)
…etc.

15-441 Networks Fall 2002 3 15-441 Networks Fall 2002 4

 Common security attacks and
Who is vulnerable?
their countermeasures
◼ Financial institutions and banks ◼ Finding a way into the network
– Firewalls
◼ Internet service providers ◼ Exploiting software bugs, buffer overflows
– Intrusion Detection Systems
◼ Medical companies
◼ Denial of Service
◼ Government and defense agencies ◼ TCP hijacking
◼ Packet sniffing
◼ Contractors to various government agencies – Encryption (SSH, HTTPS)
◼ Multinational corporations
◼ ANYONE ON THE NETWORK

15-441 Networks Fall 2002 5 15-441 Networks Fall 2002 6

Firewalls Firewalls
◼ Basic problem – many network applications ◼ A firewall is like a castle with a drawbridge
and protocols have security problems that – Only one point of access into the network
are fixed over time ◼ Can be hardware or software
– Difficult for users to keep up with changes and – Ex. Some routers come with firewall functionality
keep host secure
– Windows XP or others and Mac OS X have built
– Solution in firewalls
• Administrators limit access to end hosts by using a
firewall
• Firewall is kept up-to-date by administrators

15-441 Networks Fall 2002 7 15-441 Networks Fall 2002 8

Firewalls Firewalls
◼ Used to filter packets based on a combination of
Internet features
DMZ
– These are called packet filtering firewalls
Web server, email
server, web proxy, • There are other types too, but they will not be discussed
etc – Ex. Drop packets with destination port of 23 (Telnet)
Firewall

Firewall
Intranet

15-441 Networks Fall 2002 9 15-441 Networks Fall 2002 10

Intrusion Detection Dictionary Attack

◼ Used to monitor for “suspicious activity” on a ◼ We can run a dictionary attack on the passwords
network – Can take a dictionary of words, crypt() them all, and
compare with the hashed passwords
– Can protect against known software exploits, like
buffer overflows ◼ This is why your passwords should be meaningless
– Buffers are memory storage regions that temporarily hold data while
random junk!
it is being transferred from one location to another. A buffer overflow – For example, “sdfo839f” is a good password
(or buffer overrun) occurs when the volume of data exceeds the
storage capacity of the memory buffer. As a result, the program
attempting to write the data to the buffer overwrites adjacent memory
locations

15-441 Networks Fall 2002 11 15-441 Networks Fall 2002 12

Denial of Service Denial of Service
ICMP echo (spoofed source address of victim)
Sent to IP broadcast address
◼ Purpose: Make a network service unusable, ICMP echo reply
usually by overloading the server or network
◼ Many different kinds of DoS attacks
Internet

– SYN flooding HW
– SMURF: A Smurf attack is a distributed denial-of-service attack in which Perpetrator Victim

large numbers of Internet Control Message Protocol (ICMP) packets with the
intended victim's spoofed source IP are broadcast to a computer network
using an IP broadcast address.

– Distributed attacks

15-441 Networks Fall 2002 13 15-441 Networks Fall 2002 14

Denial of Service Denial of Service

◼ Distributed Denial of Service ◼ How can we protect ourselves?
– Same techniques as regular DoS, but on a much larger – Ingress filtering
scale
• If the source IP of a packet comes in on an interface
which does not have a route to that packet, then drop
it
• RFC 2267 has more information about this
– Stay on top of CERT advisories and the latest
security patches

15-441 Networks Fall 2002 15 15-441 Networks Fall 2002 16

Packet Sniffing Packet Sniffing
◼ Recall how Ethernet works … ◼ This works for wireless too!
◼ When someone wants to send a packet to ◼ In fact, it works for any broadcast-based
some else … medium
◼ They put the bits on the wire with the
destination MAC address …
◼ And remember that other hosts are listening
on the wire to detect for collisions …
◼ It couldn’t get any easier to figure out what
data is being transmitted over the network!
15-441 Networks Fall 2002 17 15-441 Networks Fall 2002 18

Packet Sniffing Packet Sniffing

◼ What kinds of data can we get? ◼ How can we protect ourselves?
◼ SSH, not Telnet
◼ Asked another way, what kind of information – Many people at CMU still use Telnet and send their password in the
clear (use PuTTY instead!)
would be most useful to a malicious user? – Now that I have told you this, please do not exploit this information
◼ Answer: Anything in plain text – Packet sniffing is, by the way, prohibited by Computing Services
◼ HTTP over SSL
– Passwords are the most popular – Especially when making purchases with credit cards!
◼ SFTP, not FTP
– Unless you really don’t care about the password or data
– Can also use KerbFTP (download from MyAndrew)
◼ IPSec
– Provides network-layer confidentiality
15-441 Networks Fall 2002 19 15-441 Networks Fall 2002 20
Social Problems Social Problems
◼ People can be just as dangerous as ◼ Fun Example 1:
unprotected computer systems – “Hi, I’m your AT&T rep, I’m stuck on a pole. I
– People can be lied to, manipulated, bribed, need you to punch a bunch of buttons for me”
threatened, harmed, tortured, etc. to give up
valuable information
– Most humans will breakdown once they are at
the “harmed” stage, unless they have been
specially trained
• Think government here…

15-441 Networks Fall 2002 21 15-441 Networks Fall 2002 22

Social Problems Social Problems

◼ Fun Example 2: ◼ Fun Example 3:
– Someone calls you in the middle of the night – Who saw Office Space?
• “Have you been calling Egypt for the last six hours?” – In the movie, the three disgruntled employees
• “No” installed a money-stealing worm onto the
• “Well, we have a call that’s actually active right now, companies systems
it’s on your calling card and it’s to Egypt and as a
– They did this from inside the company, where
matter of fact, you’ve got about $2000 worth of
charges on your card and … read off your AT&T card they had full access to the companies systems
number and PIN and then I’ll get rid of the charge for • What security techniques can we use to prevent this
you” type of access?

15-441 Networks Fall 2002 23 15-441 Networks Fall 2002 24

Social Problems Conclusions
◼ There aren’t always solutions to all of these problems ◼ The Internet works only because we implicitly
– Humans will continue to be tricked into giving out information they
shouldn’t trust one another
– Educating them may help a little here, but, depending on how bad ◼ It is very easy to exploit this trust
you want the information, there are a lot of bad things you can do to
get it ◼ The same holds true for software
◼ So, the best that can be done is to implement a wide variety
of solutions and more closely monitor who has access to ◼ It is important to stay on top of the latest
what network resources and information CERT security advisories to know how to
– But, this solution is still not perfect patch any security holes

15-441 Networks Fall 2002 25 15-441 Networks Fall 2002 26

Security related URLs

◼ http://www.robertgraham.com/pubs/network-
intrusion-detection.html
◼ http://online.securityfocus.com/infocus/1527
◼ http://www.snort.org/
◼ http://www.cert.org/
◼ http://www.nmap.org/
◼ http://grc.com/dos/grcdos.htm
◼ http://lcamtuf.coredump.cx/newtcp/

15-441 Networks Fall 2002 27